Practical Cyber Security Exercises for the Undergraduate Syllabus
Suggestions from students, lecturers and employers, together with a review of reference material has resulted in a range of security issues that need to be addressed in undergraduate computer science courses. This list has been pruned to those that could be included in the laboratory work of as many courses as possible; this has resulted in a practical technical focus, with some topics including security management omitted because they are better suited to degrees with specialist security content rather than those aimed at general computer science students.
A distinctive feature of these exercises is that they include guidance in good security practice, rather than simply providing 'capture the flag' puzzles. Where possible they engage the student in constructing best practice solutions.
The exercises are packaged in an infrastructure-neutral format; the interactive exercise, its documentation, worksheets and answer sheets are packaged in virtual machines which can be deployed to student workstations, or a soft network fabric, as required. See the administration guide for details. The use of VMs in this way should also provide a long shelf-life for the products.
The exercises listed below have been externally reviewed in their final form and are freely available, please email us for copies.
SQL InjectionWeb applications often rely on database queries for authenticating users and to provide the raw data which will be formatted into web pages. An injection attack is where attackers manipulate data input to the application to create malicious queries against the underlying database. These attacks are common: the 'OWASP Top 10 risks' lists injection as the number one threat to companies' websites. This exercise will explore injection attacks and how they can be prevented. |
Database InferenceInternet tracking of users' browsing and the control of personally identifiable records in census data and medical research amount to the same problem: managing the inference of sensitive information. This exercise uses a database of examination results to explore how information about individuals can be extended by linking via attributes other than a user's name, and the effectiveness of policies to manage inference in statistical database queries. |
Input Sanitisation and Cross-Site ScriptingFailure to ensure that inputs to a program are not restricted to the range of values and characters that are anticipated by the programmer or the users of a system allows a wide range of attacks that place executable scripts or commands within what is expected to be innocent text. This exercise explores an attack known as cross-site scripting, in which a user inadvertently executes a malicious browser script by visiting a website which has failed to constrain the input posted by other users. |
Exploiting ErrorsThis exercise explores the problem of information revealed as a result of badly implemented error handling, in this case an implementation which leaks information about authentication failures. The experiment is based on a password authentication algorithm in which the user's password is tested sequentially, allowing the timing of reported failures to indicate where in the password string the failure occurred. Given this information it is possible to guess the password one letter at a time. |
Exploiting SoftwareTo an attacker a software bug is an opportunity to take control; if a bug can be used to modify how a program executes then it may be possible to design an exploit that allows the attacker to take control of the system. All bugs are potential vulnerabilities, but especially those that result in memory or CPU errors. This exercise introduces the idea of Fuzzing - introducing random input in the hope of provoking an error, then explores how an attacker can use such errors to control the execution of the program. |
Digital ForensicsDigital forensic techniques are usually applied reactively in response to a crime or security event. However the same techniques can be used to identify security problems in implementations of software, particularly in instances where programmers fail to consider the working of the file or operating system when attempting to delete critical information. This exercise uses a set of command line forensic tools from The Sleuth Kit to explore the on-disk artefacts that result from use of a custom single-file encryption program. |
Storing PasswordsPasswords can be stored in such a way that they can be used for authentication, but resist attack even if the storage is recovered for off-line exploitation. It is obviously a bad idea to store passwords in plain text; however, an understanding why certain storage methods are better than others requires an understanding of the attacks used to recover passwords from systems. This exercise explores a number of password attacks and the storage mechanisms needed to resist such attacks. |
Random NumbersComputer systems often need a source of random behaviour. Computer game enemies need to walk in unpredictable directions, cryptosystems need unpredictable keys and nonces, and Monte Carlo simulations need random values. Often such values are generated by deterministic but unpredictable (pseudorandom) sequences seeded with a small amount of true random noise. There are many pitfalls in the design and use of pseudorandom generators which make the resulting sequence more predictable. This exercise reviews these issues, highlighting the need for sound design and careful use of library sources of random data. |
Information and Information LeakageThis exercise distinguishes 'information' from 'data', highlights that the exposure of small amounts of information can be critical and develops skills in measuring and quantifying information. The exercise is based on the measurement of users' keyboard typing patterns and estimates the average amount of information about typed characters that is leaked if it is possible to observe just the timing of a users' typing. |
Cryptography and IntegrityStrong cryptographic primitives are necessary, but poor use of such systems or a misunderstanding about the form of security that they provide may result in systems that do not provide adequate security. This exercise develops attacks against simple cryptosystems (one-time pads) and stream cyphers to develop an understanding of the problems of key re-use, and the need to supplement confidentiality protection with measures to ensure the integrity of underlying data. |
Encryption Modes and Information LeakageThe way that cryptographic primitives are used matters as much as the quality or strength of the underlying algorithm; the misuse of an otherwise strong algorithm can provide direct access to the information that the user wishes to conceal, or provide an attacker with short-cuts to recovering encrypted data. This exercise begins with a simple Caesar cipher, and extends that to code-book encryption of images in which even the strongest algorithms are unable to prevent the image being recognised in the encrypted form. The exercise then introduces other modes to highlight important decisions in the application of block ciphers. |