Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
    • Student and Grants
    • Co-located Workshops
  • Program
    • Workshop Program
  • Sponsorship
  • Participate
    • Instructions for Authors and Speakers
    • Call for Papers
  • About
    • Workshop Organizers
    • Questions
    • Services
    • Past Workshops
  • Home
  • Attend
  • Program
    • Workshop Program
  • Sponsorship
  • Participate
  • About

help promote

ASE '16 button

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Program » Workshop Program
Tweet

connect with us

Workshop Program

All sessions will be held in the Texas Ballroom 5–7 unless otherwise noted.

The workshop papers are available for download below to registered attendees now and to everyone beginning Tuesday, August 9, 2016. Paper abstracts are available to everyone now. Copyright to the individual works is retained by the author[s].

Downloads for Registered Attendees

Attendee Files 

(Registered attendees: Sign in to your USENIX account to download these files.)

ASE '16 Paper Archive (ZIP)
ASE '16 Attendee List (PDF)

 

Tuesday, August 9, 2016

8:00 am–9:00 am Tuesday

Continental Breakfast

Texas Ballroom Foyer

9:00 am–10:30 am Tuesday

Reversing and Exploitation Exercises

Session Chair: Adam Aviv, US Naval Academy

Learning From Others’ Mistakes: Penetration Testing IoT Devices in the Classroom

Tom Chothia, University of Birmingham; Joeri de Ruiter, Radboud University Nijmegen

This paper shows how it is possible to use commercial off-the-shelf IoT devices in a taught cyber security course. We argue that the current level of IoT device security makes testing them an excellent exercise for students. We have developed a course based around this idea that teaches students basic penetration testing techniques and then sets two rounds of group assignments in which they get hands-on experience with performing a security analysis of an IoT device. In the first round, the students get devices which we know are vulnerable. In the second round, the groups are mixed and they get devices with no previously known vulnerabilities. This approach enables us to provide them enough guidance in the first round to get the experience needed to perform the analysis independently in the second round. This seems to have been successful because our student teams found previously unknown vulnerabilities in five devices in the second round of tests.

Available Media

A Tool for Teaching Reverse Engineering

Clark Taylor and Christian Collberg, University of Arizona

Tigress is a freely available source-to-source, C language code obfuscator. The tool allows users to obfuscate existing programs or programs randomly generated by Tigress itself. Tigress is highly flexible, providing a large number of standard obfuscating code transformations, and many variants of each transformation. Tigress may be used in many contexts, but in this paper we describe its use in teaching code reverse engineering techniques. In order to make Tigress easily available and usable to educators and students, we have integrated Tigress into a web application. In addition to directly benefiting education, this new web application offers unique ways to advance research on code obfuscation and reverse engineering.

Available Media

On the Design of Security Games: From Frustrating to Engaging Learning

Jan Vykopal and Miloš Barták, Masaryk University

Hands-on cyber security training is generally accepted as an enjoyable and effective way of developing and practising skills that complement the knowledge gained by traditional education. At the same time, experience from organizing and participating in these events show that there is still room for making a larger impact on the learners, and providing more engaging and beneficial learning. In particular, the area of the game and exercise design is not sufficiently well-developed. There is no comprehensive methodology or best practices that can be used to prepare, test, and carry out events.

We present the concept of a security game and lessons learned from a prototype game played by 260 participants. Based on the lessons, we describe the enhancements to the game design and a user study evaluating new game features. The results of the study show the importance of logging events which describe the course of the game. It also suggests what type of information can be predicted from the game logs and what can be found by other methods such as surveys.

Available Media

Lightning Talk

Teaching Data-Driven Security: A Course on Security Analytics

Rakesh Verma, University of Houston

Available Media
  • Read more about Teaching Data-Driven Security: A Course on Security Analytics
10:30 am–11:00 am Tuesday

Break with Refreshments

Texas Ballroom Foyer

11:00 am–12:30 pm Tuesday

Panel

Mentorship of Women in Computer Security

Moderator: Cynthia Irvine, Naval Postgraduate School

Panelists: Terry Benzel, Information Sciences Institute/University of Southern California; Ashley Podhradsky, Dakota State University; Ambareen Siraj, Tennessee Tech University, Rakesh Verma, University of Houston

  • Read more about Mentorship of Women in Computer Security

Lightning Talk

SATC Transition to Practice Perspective: Why and How?

Rebecca Bace, University of South Alabama

  • Read more about SATC Transition to Practice Perspective: Why and How?
12:30 pm–2:00 pm Tuesday

Luncheon for Workshop Attendees

Zilker Ballroom 1

2:00 pm–3:30 pm Tuesday

Introspection and Self Awareness

Session Chair: Wu-chang Feng, Portland State University

Self-Efficacy in Cybersecurity Tasks and Its Relationship with Cybersecurity Competition and Work-Related Outcomes

Jian Ming Colin Wee and Masooda Bashir, University of Illinois at Urbana–Champaign; Nasir Memon, New York University

Research on cybersecurity competitions is still in its nascent state, and many questions remain unanswered, including how effective these competitions actually are at influencing career decisions and attracting a diverse participant base. The present research aims to address these questions through surveying a sample of ex-cybersecurity competition participants from New York University’s Cyber-Security Awareness Week (CSAW). 195 survey respondents reported on their self-esteem, general self-efficacy, and perceived efficacy in cyber-security-related tasks, along with important competi-tion- and career-related variables such as reasons for participating, competition performance, appeal and ef-fectiveness of competitions, job satisfaction, and per-ceived organizational fit. Correlational analyses showed that confidence in cybersecurity-related tasks was posi-tively related to interest in cybersecurity, performance within the competition, job satisfaction within a cyber-security job, and perceived organizational fit within cybersecurity organizations. Specific self-efficacy was better at predicting competition performance than gen-eral self-efficacy or self-esteem, but was unrelated to participants’ positive image of competitions and wheth-er or not the cybersecurity competitions influenced their career decisions. Instead, general self-efficacy was a better predictor of positive competition experience even more-so than performance within the competition. Overall, the results show that participants with self-confidence in their cybersecurity-relevant skills are more likely to do well in the competition and be satis-fied when entering a cybersecurity career, but any par-ticipant with high general self-efficacy will likely still have a positive experience when participating in com-petitions.

Available Media

Development of Peer Instruction Questions for Cybersecurity Education

William E. Johnson, Allison Luzader, Irfan Ahmed, Vassil Roussev, and Golden G. Richard III, University of New Orleans; Cynthia B. Lee, Stanford University

Cybersecurity classes should be focused on building practical skills along with the development of the open mindset that is essential to tackle the dynamic cybersecurity landscape. Unfortunately, traditional lecture-style teaching is a poor match for this task. Peer instruction is a non-traditional, active learning approach that has proven to be effective in many fundamental courses of computer science. The main challenge for faculty in adopting peer instruction is the development of conceptual questions. This paper presents a methodology for developing peer instruction questions systematically for cybersecurity courses. The method consists of four stages: concept identification, concept trigger, question presentation, and question development. The paper further provides an analysis of 172 questions developed over the period of ten months by the authors for two cybersecurity courses: introduction to computer security and network penetration testing. Finally, it discusses four examples of peer instruction questions in the context of the aforementioned methodology.

Available Media

Finding the Balance Between Guidance and Independence in Cybersecurity Exercises

Richard Weiss, The Evergreen State College; Frankly Turbak, Wellesley College; Jens Mache and Erik Nilsen, Lewis and Clark College; Michael E. Locasto, SRI International

In order to accomplish cyber security tasks, one needs to know how to analyze complex data and when and how to use tools. Many hands-on exercises for cybersecurity courses have been developed to teach these skills. There is a spectrum of ways that these exercises can be taught. On one end of the spectrum are prescriptive exercises, in which students follow step-by- step instructions to run scripted exploits, perform penetration testing, do security audits, etc. On the other end of the spectrum are open-ended exercises and capture-the- flag activities, where little guidance is given on how to proceed.

This paper reports on our experience with trying to find a balance between these extremes in the context of one of the suite of cybersecurity exercises that we have developed in the EDURange framework. The particular exercise that we present teaches students about dynamic analysis of binaries using strace. We have found that students are most successful in these exercises when they are given the right amount of prerequisite knowledge and guidance as well as some opportunity to find creative solutions. Our scenarios are specifically designed to develop analysis skills and the security mindset in students and to complement the theoretical aspects of the discipline and develop practical skills.

Available Media

Gamification for Teaching and Learning Computer Security in Higher Education

Z. Cliffe Schreuders and Emlyn Butterfield, Leeds Beckett University

In many cases students in higher education are driven by assessments and achievements rather than the “learning journey” that can be achieved through full engagement with provided material. Novel approaches are needed to improve engagement in and out of class time, and to achieve a greater depth of learning. Gamification, “the use of game design elements in nongame contexts”, has been applied to higher education to improve engagement, and research also suggests that serious games can be used for gamesbased learning, providing simulated learning environments and increasing motivation.

This paper presents the design and evaluation of a gamified computer security module, with a unique approach to assessed learning activities. Learning activities (many developed as open educational resources (OER)) and an assessment structure were developed. A new free and open source software (FOSS) virtual learning environment (VLE) was implemented, which enables the use of three types of experience points (XP), and a semiautomated marking scheme for timely, clear, transparent, and feedbackoriented marking.

The course and VLE were updated and evaluated over two years. Qualitative and descriptive results were positive and encouraging. However, ultimately the increased satisfaction was not found to have statistical significance on quantitative measurements of motivation, and the teaching workload of the gamified module was noteworthy.

Available Media
3:30 pm–4:00 pm Tuesday

Break with Refreshments

Texas Ballroom Foyer

4:00 pm–5:30 pm Tuesday

Security Education Outside the Security Classroom

Session Chair: Mark Gondree, Naval Postgraduate School

Teaching Computer Science With Cybersecurity Education Built-in

Chuan Yue, Colorado School of Mines

Despite the remarkable cybersecurity education efforts from traditional approaches such as offering dedicated courses and even degree programs or tracks, the computer science curricula of many institutions still severely fall short in promoting cybersecurity education. We advocate to further explore the security integration approach to complement other approaches and better promote cybersecurity education. We contribute to this approach by concretely exploring a viable implementation solution and evaluating its effectiveness. Specifically, we explore to discuss relevant cybersecurity topics in upper and graduate level non-security courses to engage students in learning cybersecurity knowledge and skills from the perspectives of different computer science sub-areas, and help them understand the correlation and interplay between cybersecurity and other sub-areas of computer science. Our experience in six class sessions of five non-security courses is very encouraging: the majority of students found the discussed cybersecurity topics interesting, useful, and relevant; they would like to have cybersecurity topics discussed in other non-cybersecurity courses in the future; they improved their understanding of the discussed content. We hope our experience can be helpful for other educators to adopt and further explore the security integration approach in the future.

Available Media

A "Divergent"-Themed CTF and Urban Race for Introducing Security and Cryptography

Wu-chang Feng, Portland State University

There is a recognized shortage of students who are interested in learning computer and network security. One of the underlying reasons for this is a lack of awareness and motivation to study the subject. In order to tackle this problem, we have developed an introductory cryptography and security curriculum that attempts to inspire students to pursue this career path.

Towards this end, the curriculum we have designed motivates the importance of the field and contains a variety of activities intended not only to teach students basic concepts, but also allow them to develop technical skills in a fun and engaging manner. In particular, we employ a novel set of capture-the-flag (CTF) exercises and a physical activity based on an urban race, both of which are tied into a fictional story that students act out. The storyline follows a book series that many young adults of this generation are familiar with: the Divergent books written by Veronica Roth [1]. Using this approach, we have successfully delivered our curriculum at multiple schools throughout Oregon.

Available Media

Mentoring Talent in IT Security–A Case Study

Levente Buttyán, Márk Félegyházi, and Gábor Pék, CrySyS Lab, BME

Talent management is usually not well-supported by traditional curricula, because university courses are typically designed for a large number of average students and not for the few outstanding ones. In this paper, we share our experiences on running a talent mentoring program in IT security at our university. We describe the whole process from increasing awareness of IT security among students, via maintaining a community of practice where they can improve their skills, to finally connect them to well-established IT companies. We also introduce avatao, a platform to support hands-on IT security practice. Our methods could serve as a blueprint to establish a successful talent management program in IT security in a typical academic environment.

Available Media

The Use of Cyber-Defense Exercises in Undergraduate Computing Education

W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson, United States Military Academy

This paper describes the placement of a large-scale cyberdefense exercise within the computer science and information technology curricula at an undergraduate institution, the United States Military Academy. Specifically, we describe the US National Security Agency Cyber-Defense Exercise as an example of a large-scale design, implement, and defend exercise. Furthermore, we provide evidence that the exercise inspires students to evaluate and create within the field of computer security. Our evidence includes examples of student research projects which benefited from unique opportunities for innovation. Finally, we provide the exercise documents that governed the 2016 Cyber-Defense Exercise and packet captures from our portion of the network.

Available Media

Scalable and Lightweight CTF Infrastructures Using Application Containers (Pre-recorded Presentation)

Arvind S Raj, Bithin Alangot, Seshagiri Prabhu, and Krishnashree Achuthan, Amrita Vishwa Vidyapeetham

Attack-defence Capture The Flag (CTF) competitions are effective pedagogic platforms to teach secure coding practices due to the interactive and real-world experiences they provide to the contest participants. Two of the key challenges that prevent widespread adoption of such contests are: 1) The game infrastructure is highly resource intensive requiring dedication of significant hardware resources and monitoring by organizers during the contest and 2) the participants find the gameplay to be complicated, requiring performance of multiple tasks that overwhelms inexperienced players. In order to address these, we propose a novel attack-defence CTF game infrastructure which uses application containers. The results of our work showcase effectiveness of these containers and supporting tools in not only reducing the resources organizers need but also simplifying the game infrastructure. The work also demonstrates how the supporting tools can be leveraged to help participants focus more on playing the game i.e. attacking and defending services and less on administrative tasks. The results from this work indicate that our architecture can accommodate over 150 teams with 15 times fewer resources when compared to existing infrastructures of most contests today.

Available Media

© USENIX

  • Privacy Policy
  • Contact Us