Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Summit Organizers
  • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
  • At a Glance
  • Summit Program
  • Co-Located Workshops
  • Activities
    • Birds-of-a-Feather Sessions
  • Sponsorship
  • Students and Grants
  • Questions?
  • Help Promote!
  • For Participants
  • Call for Participation

sponsors

Platinum Sponsor

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Summit Program
Tweet

connect with us

http://twitter.com/usenixsecurity
http://www.usenix.org/facebook
http://www.usenix.org/linkedin
http://www.usenix.org/gplus
http://www.usenix.org/youtube

Summit Program

To access a presentation's content, please click on its title below.

All sessions will be held in Harbor D unless otherwise noted.

The full papers published by USENIX for 3GSE '14 are available for download as an archive or individually below. Copyright to the individual works is retained by the author(s).

Attendee Files 
3GSE '14 Papers ZIP

 

Monday, August 18, 2014

8:30 a.m.–9:00 a.m. Monday

Continental Breakfast

Harbor Foyer

9:00 a.m.–10:30 a.m. Monday

World 1-1: Leveling Up Capture the Flag

Learning Obstacles in the Capture The Flag Model

3:15 pm

Kevin Chung and Julian Cohen, New York University Polytechnic School of Engineering

Capture The Flag (CTF) competitions have been used in the computer security community for education and evaluation objectives for over a decade. These competi-tions are often regarded as excellent approaches to learn deeply technical concepts in a fun, non-traditional learning environment, but there are many difficulties associated with developing and competing in a CTF event that are rarely discussed that counteract these benefits. CTF competitions often have issues related to participation, quality assurance, and confusing challenges. These problems affect the overall quality of a CTF competition and describe how effective they are at catalyzing learning and assessing skill. In this paper, we present insights and lessons learned from organizing CSAW CTF, one of the largest and most successful CTFs.

Available Media

An Argument for Game Balance: Improving Student Engagement by Matching Difficulty Level with Learner Readiness

3:30 pm

Portia Pusey, National CyberWatch Center; David Tobey, Sr., Indiana University South Bend; Ralph Soule, Naval Sea Systems Command

The exponential growth of students participating in cy-bersecurity competition and challenge programs has been used as support for claims that the numbers of students interested in pursuing cybersecurity careers are also increasing. However, one recent study documented a decline in novice participants over the course of three cybersecurity competitions. This paper presents an ar-gument for supporting learner engagement by balancing the difficulty level of the game’s activities with the learner’s abilities.

Available Media

PicoCTF: A Game-Based Computer Security Competition for High School Students

3:30 pm

Peter Chapman, Jonathan Burket, and David Brumley, Carnegie Mellon University

The shortage of computer security experts is a critical problem. To encourage greater computer science interest among high school students, we designed and hosted a computer security competition called PicoCTF. Unlike existing competitions, PicoCTF focused primarily on offense and presented challenges in the form of a web-based game. Approximately 2,000 teams participated, with students playing for an average of 12 hours. We present the game-based competition design, an evaluation based on survey responses and website interaction statistics, and insights into the students who played. Further we have released our platform and challenges as an open source project, which has been adapted into the curricula of 40 high schools. Since its release in August of 2013, the PicoCTF platform has been used to host six other capture-the-flag competitions.

Available Media

The Fun and Future of CTF

3:30 pm

Andy Davis, Tim Leek, Michael Zhivich, Kyle Gwinnup, and William Leonard, MIT Lincoln Laboratory

Capture the Flag (CTF) is well-established as a computer security contest of skill in which teams compete in real time for prizes and bragging rights. At the time of this writing, CTFtime.org—a tracking web site devoted to aggregating team standings across various CTF events—lists 76 such contests, and more spring up each year. But what is the point, exactly? In this paper we detail our experiences in a third year of designing, building and running a CTF for Boston-area undergraduate and graduate students. This will serve two purposes: first, others desiring to stage such an event can benefit from our experience, and second, the details of our CTF will provide a concrete context for a broader discussion and deeper questions on the value and future of this type of activity.

Available Media

10:30 a.m.–11:00 a.m. Monday

Break with Refreshments

Harbor Foyer

11:00 a.m.–12:30 p.m. Monday

World 2-1: Design and Production

NSF Funding Opportunities for Cybersecurity Education and Workforce Development

Victor Piotrowski, National Science Foundation

Available Media

  • Read more about NSF Funding Opportunities for Cybersecurity Education and Workforce Development

Practical Lessons from Creating the Control-Alt-Hack Card Game and Research Challenges for Games In Education and Research

3:30 pm

Tamara Denning, University of Washington; Adam Shostack; Tadayoshi Kohno, University of Washington

We designed, produced, distributed, and evaluated Control-Alt-Hack™: a recreational tabletop card game intended to promote a casual awareness of high-level computer security concepts. Our experiences throughout this process gave us insights and opinions regarding the creation of games, their role in educational or outreach contexts, and opportunities and challenges for the research community. In particular, we: (1) provide a logistics-oriented reflection on our experiences, including a list of the work roles that were involved in producing the game and a timeline of the creation process; and (2) step back to consider higher-level issues for the community, including the role of games in the classroom and the challenges behind conducting and publishing evaluations of game-based learning.

Available Media

CyberCIEGE Scenario Design and Implementation

3:30 pm

Michael F. Thompson and Cynthia E. Irvine, Naval Postgraduate School

In 2005, the initial version of CyberCIEGE, a network security simulation packaged as a video game, was released. Since then, we have developed a suite of game scenarios and have enhanced and extended the underlying game engine to cover a broad set of cybersecurity concepts. CyberCIEGE includes a Scenario Development Kit to customize existing game scenarios and create new ones. A Scenario Development Language lets instructors express security policies of interest and the circumstances in which these policies must be enforced. This language programs and augments the underlying CyberCIEGE simulation, enabling context-rich interaction with students, while relying on the simulation to assess network security and enterprise productivity.

Scenario creation requires both story telling and high-level programming techniques. Scenario designers use a forms-based integrated development environment to express a scenario in terms of its initial conditions, security policies, economic constraints, and student feedback.

Available Media

Elevation of Privilege: Drawing Developers into Threat Modeling

3:30 pm

Adam Shostack, Microsoft

This paper presents Elevation of Privilege, a game designed to draw people who are not security practitioners into the craft of threat modeling. The game uses a variety of techniques to do so in an enticing, supportive and non-threatening way. The subject of security tools for software engineering has not generally been studied carefully. This paper shares the objectives and design of the game, as well as tradeoffs made and lessons learned while building it. It concludes with discussion of other areas where games may help information security professionals reach important goals.

Available Media

12:30 p.m.–2:00 p.m. Monday

Luncheon for Summit Attendees

Harbor GH

2:00 p.m.–3:30 p.m. Monday

World 3-1: Capturing Capture the Flag

Panel

Moderator: Mark Gondree, Naval Postgraduate School

Panelists: Chris Eagle, Naval Postgraduate School; Portia Pusey, National CyberWatch Center; Andrew Davis, MIT Lincoln Laboratory; Giovanni Vigna, University of California, Santa Barbara; Peter Chapman, Carnegie Mellon University

Available Media

  • Read more about Panel
3:30 p.m.–4:00 p.m. Monday

Break with Refreshments

Harbor Foyer

4:00 p.m.–4:45 p.m. Monday

World 4-1: Game Platforms

Class Capture-the-Flag Exercises

3:30 pm

Jelena Mirkovic and Peter A. H. Peterson, USC/Information Sciences Institute

The field of cybersecurity is adversarial—the real challenge lies in outsmarting motivated and knowledgeable human attackers. Sadly, this aspect is missing from current cybersecurity classes, which are often taught through lectures and occasionally through "get your feet wet" practical exercises. We propose Class Capture-the-Flag exercises (CCTFs) to revitalize cybersecurity education. These are small-scoped competitions that pit teams of students against each other in realistic attackdefense scenarios. We describe how to design these exercises to be easy for teachers to conduct and grade, easy for students to prepare for and a lot of fun for everyone involved. We also provide descriptions of CCTFs we have developed and recount our experiences of using them in class.

Available Media

Ten Years of iCTF: The Good, The Bad, and The Ugly

3:30 pm

Giovanni Vigna, Kevin Borgolte, Jacopo Corbetta, Adam Doupe, Yanick Fratantonio, Luca Invernizzi, Dhilung Kirat, and Yan Shoshitaishvili, University of California, Santa Barbara

Security competitions have become a popular way to foster security education by creating a competitive environment in which participants go beyond the effort usually required in traditional security courses. Live security competitions (also called "Capture The Flag," or CTF competitions) are particularly well-suited to support handson experience, as they usually have both an attack and a defense component. Unfortunately, because these competitions put several (possibly many) teams against one another, they are difficult to design, implement, and run. This paper presents a framework that is based on the lessons learned in running, for more than 10 years, the largest educational CTF in the world, called iCTF. The framework's goal is to provide educational institutions and other organizations with the ability to run customizable CTF competitions. The framework is open and leverages the security community for the creation of a corpus of educational security challenges.

Available Media

4:45 p.m.–5:30 p.m. Monday

World 4-2: Expansion Packs for the Classroom

A Case Study in Helping Students to Covertly Eat Their Classmates

3:30 pm

Roya Ensafi, Mike Jacobi, and Jedidiah R. Crandall, University of New Mexico

Werewolves is an online version of the game Werewolves of Miller’s Hollow that we developed in 2012 to help teach information flow in a computer security and privacy class. The game pits werewolves against townspeople in a shared Linux system, where students must use the command line environment to find information flow leaks in the form of side channels that reveal the werewolves’ identities.

Werewolves has many desirable traits, such as the ability to make learning about information flow fun and the fact that the kinds of attacks students can carry out to gain an advantage in the game are open ended, which leads to self-guided learning. However, these benefits quickly deteriorate if one or two students dominate the game. In this paper, we discuss instances where this has occurred through several uses of the game, and propose ways to ameliorate this problem.

Available Media

SecurityEmpire: Development and Evaluation of a Digital Game to Promote Cybersecurity Education

3:30 pm

Marc Olano, Alan Sherman, Linda Oliva, Ryan Cox, Deborah Firestone, Oliver Kubik, Milind Patil, John Seymour, Isaac Sohn, and Donna Thomas, University of Maryland, Baltimore County

SecurityEmpire is a new multiplayer computer game to teach cybersecurity concepts to high school students. We describe the design and implementation of SecurityEmpire, explain how it teaches security concepts, share preliminary evaluative data from students and teachers, and describe our experiences with developing, fielding, and evaluating this educational game. SecurityEmpire challenges each user to build a green energy company while engaging in sound information assurance practices and avoiding security missteps. Sound information assurance practices include: not clicking on unsafe links, encrypting auction bids, authenticating software downloads, performing integrity checks of system software, keeping antivirus protection up-to-date, and choosing strong passwords. In contrast with traditional teaching methods, educational games hold promise for greater student engagement and learning. We pilot tested an initial version of the game in computer science classes at partner high schools and in an undergraduate gaming class at our university. The preliminary data suggest that the game is engaging and increases awareness of cybersecurity practices.

Available Media

Platinum Sponsors

© USENIX

  • Privacy Policy
  • Contact Us