War Games: Teaching Web Security Hands-On

Helen Ashman, University of Nottingham, U.K.
hla@cs.nott.ac.uk

Abstract

While some Computer Science subjects can be taught from textbooks and lectures, some materials are inherently suitable for medium-term class exercises. Teaching the new topic G53CAS Cryptography and Security (HREF1) at the School of Computer Science and Information Technology in the University of Nottingham in the second semester (February to May 2000) has shown that a competitive, group-based assessed exercise can motivate and interest substantially more than the usual lectures, giving the students an effective and memorable learning experience.

Introduction

The student group are final-year undergraduates of a Computer Science degree. The coursework provides 25% of the final mark toward the G53CAS Cryptography and Security, an optional module available only to final-year Computer Science students. The module comprises an approximate 50/50 split between cryptography and network and Web security.

There were 86 students registered for the module. They were divided into ten groups of 8 or 9 students each. While these were large groups, they were a suitable size for the exercise as there was a substantial amount of work involved in setting up services, researching, maintenance of services, regularly testing availalability of other groups' services, and attempting to compromise other groups' services while defending and recovering their own.

The exercise was carried out on the School's Network Laboratory. For the duration of the exercise, the Network Laboratory was physically isolated from all external networks. While this was sometimes a problem for students wishing to download software (although they could still use the CD-ROM drives), it was preferable to restrict them than to make it possible for accidental hacking (either real or imagined/accused) to be perpetrated on external networks.

Each of the machines was "dual boot", i.e. it could run either Linux or the Windows NT operating systems. Each group was assigned a machine for their sole use. Part of the exercise was for the groups to decide which operating system and Web server combination they wished to use to provide the services, and to justify this decision.

Because of the limitations of the size and configuration of the Networking Laboratory, there were some classes of security that students were not be able to study in-depth during this exercise. These included physical security of equipment and network and email.

The services groups were to provide were:

a Web server, providing plain HTML pages to any clients at all
password-protected Web pages, available only to authorised users
the Web server providing simple CGI scripts
an ftp server, for anonymous and authorised users
telnet for authorised users only

Students had to create new users, at least one such user for each of the other groups, telling them what their passwords are. These other users should have been able to access the group's machine as authorised users of ftp and telnet. Authorised users should also be able to access the password-protected Web pages. Anyone at all should be able to access the plain HTML pages, the CGI scripts and anonymous ftp.

Another part of the exercise involved fine-tuning the software on the group's machines, tightening all security in every way necessary.

Assessment

Students were assessed on three components:

The first 15 marks (out of 25) for each student was defined by a group report. This report included a summary of the group's activities and decisions, including platform chosen and reasons for this choice; logs of all important "events", i.e. all attempted attacks on the group's machine and services, detected, inc;uding time and date, nature, origin of attack if known, action taken to prevent /deflect/recover from attack, the damage done including down time and loss of service, an assessment of how well you handled the event; logs of all the group's attempted attacks on other groups, including identify of group attacked, time, date and nature of attack, source of the idea for this attack, "success" of the attack, i.e. any apparent loss or degrading of services from that group's machines, any apparent defensive mechanisms already in place, action taken by attacked group to defend (if known, an assessment of how well the other group handled the attack; logs of your occasional attempts to make legitimate use of the services of other machines, including time and date of attempted normal (legitimate) usage, identity of host machine and services requested, response from host - speed or existence of response, quality of information retrieved (e.g. are they the "real" pages?).
The next 5 marks (out of 25) was decided by each student's individual report. Each individual had to hand in a short report detailing their own contribution, how they rated their own contribution and how they rated the contribution of other group members.
The remaining 5 marks (out of 25) was determined by the rating of that student by the other members of the group.

Warnings

The students were given strong and repeated warnings about the consequences of attempting any of the illicit behaviours outside of the isolated Network Laboratory. The notice was as follows:

You are ONLY permitted to perpetrate attacks on other machines: ONLY during the time of this coursework (from today until 24 March 2000) and ONLY within the environment of the B74 Networking Laboratory. Another VERY IMPORTANT thing to keep in mind is that this is ONLY a software-based based exercise. You are NOT to interfere with the equipment in the B74 Networking Laboratory in any way. If you are detected attacking any other machine or services, either within the University or outside, you could be expelled from the University. If you interfere with the equipment or connections in the B74 Network Laboratory, this too could lead to expulsion from the University.
In other words, JUST DON'T DO IT.

Poachers or gamekeepers?

The purpose of the coursework was not to teach students how to hack, but to give them an understanding of how it is done so they can protect machines and services when they go out to work after their degree. If they don't know how attacks are made, they can't provide the best protection from them.

Even if a student's subsequent job does not directly entail securing machines and services, it is still important for them to realise how machines are vulnerable to attack, and how simple mistakes by ordinary users can defeat the best security measures.

White and Nordstrom dealt with accusations of "teaching students how to hack" in a similar class exercise (White and Nordstrom, 1996). They noted that:

There are scores of hackers operating throughout the Internet today. We believe that hiding their techniques from our students only leads to a generation of system administrators who are "sitting ducks" for the hackers that are out there. We use a knowledge of security holes to teach our students what must be done in order to secure their own systems.

The results of the class exercise at Nottingham support this. We have no evidence that students have mis-used the knowledge gained by this exercise. This may be in part due to the warnings, and in part due to the "class culture" promoted throughout lectures, which places both lecturer and students firmly in the "defending" position. The exercise reinforced this position by encouraging students to feel personally responsible for the success of defending their services and quickly reinstating them when necessary.

Side effects

The exercise has had the side effect of suggesting some improvements to other taught modules, while confirming others. For example, it was discovered that most of the students had little or no experience in setting up Web servers or other network-based services such as ftp or telnet. In general, they had no experience of any form of computer and network administration. On the other hand, they had an excellent understanding of computer network principles which was manifested in the predominance of packet-based attacks. These observations are being fed back into the relevant supporting courses, with, for example, the G5BIAW Internet and World Wide Web module to subsequently include an exercise on establishing a Web server and related services.

Another beneficial side effect is that the students' reports are being circulated amongst the technical services staff in the School. At this stage, reports have only just been released to technical services staff, following marking and assessment, however, we envisage that 86 students' worth of research is bound to contain something of real interest to these staff. If nothing else, the exercise serves to educate and reiterate both technical and academic staff about these important issues.

Student opinions

It was gratifying to see the enthusiasm with which the students undertook this exercise. They put in a much larger amount of effort than was expected, and at one stage, it was seen to be necessary to suggest they be careful of spending too much time on it!

The adversarial nature of the exercise had many useful effects, including the following which were noted by the students themselves:

it made the exercise more interesting by giving them "real" attackers to practise their skills against;
it promoted strong bonds between the group members without creating friction with other groups' members;
it created a strong sense of personal responsibility for the success of the group's services;
it encouraged them to research and put to use up-to-date materials;
they learned and expect to retain a great deal more than might normally be expected in lectures

There were very few negative comments, these being that the exercise took place in the second semester which is when there are many competing demands on the students' time, and that the four weeks allowed for the exercise was not enough time. However this latter problem was partly due to the students' general lack of knowledge about setting up services, and should be addressed in future by covering that material in the co-requisite module.

Summary

While these observations are preliminary, this form of teaching and assessment appears highly suitable and effective for i) increasing students' knowledge in the area, ii) motivating students to self-directed study, iii) teaching students to work successfully in groups with others of varying abilities, iv) instilling a sense of personal responsibility for the success of the work, and v) reinforcing their understanding of the "wrongness" of security attacks, by making them responsible for fending them off.

References

(White and Nordstrom, 1996) Gregory White and Gregory Nordstrom, "Security across the curriculum: using computer security to teach computer science principles", Proc 19th International Information Systems Security Conference, reprinted in D .E. Denning and P.J. Denning (eds), Internet Besieged - Countering Cyberspace Scofflaws, ACM Press, 1998, pp 519-525.

Hypertext References

HREF1: http://www.cs.nott.ac.uk/~hla/G53CAS/

Copyright

Helen Ashman, (c) 2000. The author assigns to Southern Cross University and other educational and non-profit institutions a non-exclusive licence to use this document for personal use and in courses of instruction provided that the article is used in full and this copyright statement is reproduced. The author also grants a non-exclusive licence to Southern Cross University to publish this document in full on the World Wide Web and on CD-ROM and in printed form with the conference papers and for the document to be published on mirrors on the World Wide Web.

[ Proceedings ]

AusWeb2K, the Sixth Australian World Wide Web Conference, Rihga Colonial Club Resort, Cairns, 12-17 June 2000 Contact: Norsearch Conference Services +61 2 66 20 3932 (from outside Australia) (02) 6620 3932 (from inside Australia) Fax (02) 6622 1954