Integrating Security into the CS1 at MSU
Supported by Microsoft Research
Faculty: Richard Enbody
If security is critically important, it must be introduced at all levels of the
curriculum including CS1. Unfortunately, many security vulnerabilities involve
advanced computer science issues to understand them. Fortunately, there are
issues which can be introduced into CS1.
- Threat Modeling:
-
While Threat Modeling per se does not fit CS1, an important component,
"All input is Evil"1, can be introduced. To handle evil input we
are introducing the
concept of "design by contract"
:
The main purpose of contracts is to help us build better software by
organizing the communication between software elements through specifying,
as precisely as possible, the mutual obligations and benefits that are
involved in those communications.2
The subset of design-by-contract appropriate for CS1 with respect to threat
modeling is the use of pre- and post-conditions for input routines. While
pre- and post-conditions are not new, the tie-in with threat modeling is new
and can be used to motivate students in CS1. In addition, the threat modeling
connection allows us to limit pre- and post-conditions to situations whose
need can be made obvious. Supporting materials are under development.
- Buffer Overflow:
-
Buffer overflow continues to be a persistent vulnerability which continues
to underly most attacks. However, understanding even the simplest, first-generation
overflow attacks requires knowledge of advanced topics such as system stacks,
privileged execution, and return addresses. We have found a ten-year-old attack
which requires only the use of arrays. A description can be found here.
- Attack Demonstration:
-
Seeing is believing. To motivate a better appreciation for vulnerabilities
we are developing a demonstration system for "show-and-tell" of attacks.
Ideally, this will be a CD image which anyone can use for a demo.
Software such as the SubSeven Trojan allows one to violate a victim's
machine in silly ways: invert the screen, remap mouse buttons, open the CD
drawer, etc. Such a demo allows one to describe what a Trojan is, and
how it gets on the machine. Software such as SnadBoy allows one to peer
into "hidden" passwords as they are typed. That demo illustrates
behind-the-scenes exploitation. MetaSploit allows one to
easily compromise vulnerable machines remotely. Taken together, they
make an entertaining demonstration of easy-to-understand attacks at the CS1 level
(or lower).
Supporting material is under development, and will likely differ
significantly from these initial ideas.
1Title of Chapter 10, Writing Secure Code 2nd Ed. by Howard & LeBlanc, Microsoft Press, 2003.
2
Bertrand Meyer interview at http://www.artima.com/intv/contracts2.html