SLIDE 1
How Secure are our Computer Systems Courses?
Majed Almansoori, Jessica Lam, Elias Fang, Kieran Mulligan, Adalbert Gerald Soosai Raj, Rahul Chatterjee
1
2
Buildings Cars Hospitals Banks
How Secure are our Computer Systems Courses? Majed Almansoori, - - PowerPoint PPT Presentation
How Secure are our Computer Systems Courses? Majed Almansoori, - - PowerPoint PPT Presentation
madS&P How Secure are our Computer Systems Courses? Majed Almansoori, Jessica Lam, Elias Fang, Kieran Mulligan, Adalbert Gerald Soosai Raj, Rahul Chatterjee 1 Technology in modern society Banks Buildings Hospitals Cars 2
SLIDE 2
SLIDE 3
3
Computer security is important !!!
Technology comes with risks
SLIDE 4
4
Are we training our students on computer security?
Result: Software engineers with no security background! Top 20 CS programs in the US
(according to US News)
Source: https://www.usnews.com/best-graduate-schools/top-sci ence-schools/computer-science-rankings
Security courses are
- ffered as advanced electives
Students can graduate without taking any security course
SLIDE 5
Is security integrated in CS courses?
5
What about other computer science courses? We focus on Computer Systems Prior work evaluated database textbooks.
- Found plenty of SQL
injection bugs.
SLIDE 6
Image Source: http://users.ece.northwestern.edu/~kcoloma/ece361/lectures/lec01-introduction.pdf
6
What is a Computer Systems course?
Computer Systems Course Focuses on the software part
SLIDE 7
We ask:
Are computer systems courses taught securely?
7
RQ1: Do students use unsafe C/C++ functions in their projects? RQ2: Is computer systems course taught using unsafe functions?
SLIDE 8
Unsafe C/C++ functions lead to vulnerabilities
8
Exploit unsafe function (e.g. strcpy) Buffer Overflow Integer Overflow Code Injection Format String
SLIDE 9
Example: code snippet with strcpy()
9
Controlled by user! Buffer overflow ⇒ Control the program flow!
Make argv[1] larger than 20 bytes to cause buffer overflow.
Source Destination
SLIDE 10
Popular unsafe functions
10
Level 2
(Easily Exploitable)
strcpy strcat gets (v)sprintf system Level 1
(Use with caution)
atoi memcpy getopt* exec* (v)snprintf realpath popen
SLIDE 11
Code collection
- We attributed some of the students’ code to instructors (Details in the paper).
- We found:
- Collected code from course web pages and .
11
567.3 KLOC
by Students
193.2 KLOC
by Instructors
KLOC = Thousand lines of code
- We Considered top 20 R1 universities in the US (According to US News).
SLIDE 12
Abundant use of unsafe functions
FlawFinder (Analysis tool)
12
3,099 Invocations
by Students 60% Level 2
4,238 Invocations
by Instructors 55% Level 2
SLIDE 13
Most used unsafe functions in the dataset
13
Level 2
SLIDE 14
Do students and instructors use similar functions?
14
Found high similarity:
- Most universities scored ≥ 0.5
- Four scored ≥ 0.9
func1 func2 func3 …. funcn 23 1 …. 4 1 5 …. 9 Usage counts of unsafe functions for a school
SLIDE 15
Where did students learn about these functions?
15
Instructors Code Lecture Notes Textbooks Most of them teach/use unsafe functions !!!
SLIDE 16
The increased awareness towards gets()
16
9 Invocations only
fgets() is getting popular Replace unsafe functions with their safer alternatives!
SLIDE 17
Is it enough to teach the safe alternatives?
17
NO! Also controlled by user! Buffer overflow ⇒ Control program flow!
Make argv[1] larger than 240 bytes to cause buffer overflow.
SLIDE 18
More than just teaching safe functions
18
Update material Unsafe Functions Teach safe alternatives Train Instructors Grade code security
SLIDE 19
How Secure are our Computer Systems Courses?
19
https://majedalmansoori.com malmansoori2@wisc.edu
Collected 760+ KLOC 7,337 invocations
- f unsafe function
Unsafe examples in course resources Redesign computer systems course Integrate security in
- ther required courses