Vulnerability and Attack Labs

The goal of these labs is to achieve learning from mistakes. Vulnerabilities are often caused by mistakes in design, implementation, and configuration. Not many students can gain a full understanding of vulnerabilities and their corresponding attacks without going through some attacks first hand. We developed labs covering many common vulnerabilities and attacks. In each lab, students are given a system (or program) with hidden vulnerabilities. Based upon the hints provided, students must find these vulnerabilities, and then devise strategies to exploit them. Furthermore, students need to demonstrate ways to defend against the attacks or comment on the prevailing mitigating methods and their effectiveness. Each lab takes one to two weeks--10 hours per week--for average students.

Exploration Labs

The objective of the exploration labs are intended to enhance students' learning via observation, playing and exploration, so they can understand what security principles "feel" like in a real system; and to provide students with opportunities to apply security principles in analyzing and evaluating systems. To use an analogy, exploration labs are like a "guided tour" of a system, in which, students can "touch" and "interact with" the key components of a security system to learn the principles of security.

Design and Implemenation Labs

The goal of these labs is to achieve learning by system development. They allow student to apply security principles, concepts, and ideas to build a secure systems in a lab environment. In security education, students should also be given opportunities to apply security principles in designing and implementing systems. However, building a meaningful system usually takes longer than possible in a semester long course.

We identified several systems suitable for secure systems education, including firewalls, IPSec, Virtual Private Networks (VPN), access control systems in operating systems, and encrypted file systems. Each system covers a broad scope of security principles, making them suitable for projects. To make projects achievable within 4-6 weeks, we reduced the system functionalities, but we kept those essential for security. We also provided supporting materials to help students reduce time expended on necessary but non-essential--to security--functionalities.