All sessions will be held in Grand Ballroom C unless otherwise noted.
The workshop papers are available for download below to registered attendees now and to everyone beginning Tuesday. August 15, 2017. Paper abstracts are available to everyone. Copyright to the individual works is retained by the author[s].
Downloads for Registered Attendees
(Sign in to your USENIX account to download these files.)
Tuesday, August 15
8:00 am–9:00 am
9:00 am–10:30 am
Using Competitions and CTFs
Session Chair: Mark Gondree, Sonoma State University
Clark Taylor, University of Arizona and Lawrence Livermore National Laboratory; Pablo Arias, North Carolina A&T and Lawrence Livermore National Laboratory; Jim Klopchic, Celeste Matarazzo, and Evi Dube, Lawrence Livermore National Laboratory
Capture the flag (CTF) style events have become increasingly popular events for recruitment, training, evaluation, and recreation in the field of computer security. Today, there exists a vast array of CTF software; this software may be divided generally into game engines and challenge components. Game engines, which determine the overall style of the competition, can be categorized into those which support dynamic challenges and those which support static challenges. A small number of game engines are open and available for any party to develop their own challenges on, though most are proprietary solutions.
Over the course of the last 8 years, the Cyber Defenders group at Lawrence Livermore National Laboratory hosted an annual CTF event for its interns, in the process evaluating different CTF types and engines and ultimately developing data on the state-ofthe- art in this field. While these events resulted in a large degree of success with regard to the goals mentioned above, a critical evaluation of the software both used by the Cyber Defenders and generally across the entire field revealed several shortcomings of current CTF practices. In particular, current software may be improved with regard to challenge realism, costs and accessibility, educational applications, and research potential. Proposed herein is a new game engine which addresses these shortcomings. This paper details the architectures for and current progress towards implementing this game engine.
Erik Trickel, Arizona State University; Francesco Disperati and Eric Gustafson, University of California, Santa Barbara; Faezeh Kalantari, Michael Mabey, Naveen Tiwari, Yeganeh Safaei, and Adam Doupe, Arizona State University; Giovanni Vigna, University of California, Santa Barbara
Although we are facing a shortage of cybersecurity professionals, the shortage can be reduced by using technology to empower all security educators to efficiently and effectively educate the professionals of tomorrow. One powerful tool in some educators’ toolboxes are Capture the Flag (CTF) competitions. Although participants in all the different types of CTF competitions learn and grow their security skills, Attack/Defense CTF competitions offer a more engaging and interactive environment where participants learn both offensive and defensive skills, and, as a result, they develop their skills even faster. However, the substantial time and skills required to host a CTF, especially an Attack/Defense CTF, is a huge barrier for anyone wanting to organize one. Therefore, we created an on-demand Attack/Defense tool via an easy-to-use website that makes the creation of an Attack/Defense CTF as simple as clicking a few buttons. In this paper, we describe the design and implementation of our system, along with lessons learned from using the system to host a 24-hour 317 team Attack/Defense CTF.
Tanner J. Burns, Samuel C. Rios, Thomas K. Jordan, Qijun Gu, Texas State University; Trevor Underwood, Netspend Corporation
Cybersecurity competitions are getting more attention as a prominent approach of computer security education in the past years. It is vital to look into better ways to engage beginners in the competitions to improve computer security education. This work collected and analyzed the solutions of about 3600 Capture The Flag (CTF) challenges from 160 security competitions in the past three years. This work identified the security issues that are the most concerning to industry and academia and enumerated the security tools and techniques that are used the most by players. Based on the analysis, this work presented a set of computer security exercises as a downloadable tool package for beginners to try out in an introductory computer security course.
Kevin Chung, CTFd LLC
Capture The Flag (CTF) competitions have a rich history of incredibly technical individuals providing information security resources for each other. CTFs have been used by the information security community for education and assessment for over a decade. They’re widely regarded as an excellent introduction to the information security industry given their competitive aspect, team building nature, and lack of long-term commitment.
CTF organizers have long experimented with exploring its relevance in areas beyond technical competitions. The foundation of CTF is rooted in technical education but one of the desired evolutions of CTF is as an e-sport . In this paper, we present our perspective on why the current model of CTF is not a viable e-sport. This perspective will be presented alongside ideas around advancing the adoption of CTF, and CTFd, a readily available open-source framework for educators, recruiters, and companies to integrate CTFs into their pipelines.
CTFd eases the amount of development needed to bring a CTF to fruition. Aside from the challenge views for standard CTF functionality, it features score graphs, an administration panel, a built-in hint economy, and archival functionality. In addition, CTFd supports plugins and themes for additional customizability. This paper will be presented alongside a demonstration of the features of CTFd and different ways it can be integrated in computer education.
10:30 am–11:00 am
Break with Refreshments
11:00 am–12:30 pm
Session Chair: Ashley Podhradsky, Dakota State University
Wu-chang Feng, Robert Liebman, Lois Delcambre, Michael Lupro, Tim Sheard, Scott Britell, and Gerald Recktenwald, Portland State University
With society’s increasing dependence on technology infrastructure, the importance of securing the computers, networks, data, and algorithms that run our digital and physical lives is becoming critical. To equip the next generation of citizens for the challenges ahead, an effort is underway to introduce security content early in a student’s academic career. It is important that these efforts broaden participation and increase diversity in the field. While many camps and curricula focus on introducing technical content and skills related to cybersecurity, such approaches can prematurely limit how students view career opportunities in the field, potentially limiting those who ultimately pursue it. In addition, it is likely that many problems in cybersecurity can only be addressed in an interdisciplinary manner by those trained in the arts and humanities as well as in technical fields.
This paper describes CyberPDX, a residential summer camp that introduces cybersecurity to high school students. Key to CyberPDX is its focus on the range of societal issues that will be impacted by cybersecurity as well as its coverage of the breadth of roles that students can play to help address them. Through four learning threads taught by faculty in Computer Science, Sociology, and Film Studies, the CyberPDX curriculum spans topics from constitutional law, cyberpolicy, ethics, and filmmaking to programming, cryptography, security, and privacy in order to show students how broad cybersecurity issues are and the many ways they can participate in helping to solve them.
Elizabeth Stobert, Elizabeta Cavar, Luka Malisa, and David Sommer, ETH Zurich
As more of the activities of daily living take place online, computer security education for high school students is of increasing importance. To address this need, we designed, developed, and tested prototype curriculum materials to teach secondary school students about user authentication. We identify challenges encountered in this process, and contend that these challenges stem from the nature of security and are inherent to teaching it. We suggest that other safety-related topics (such as sex education) could provide valuable parallels for designing computer security curriculum.
Jail, Hero or Drug Lord? Turning a Cyber Security Course Into an 11 Week Choose Your Own Adventure Story
Tom Chothia, Sam Holdcroft, Andreea-Ina Radu, and Richard J. Thomas, University of Birmingham
In this paper we argue that narrative and story are important elements of gamification, and we describe a framework that we have developed which adds a story to an 11 week cyber security course. The students play the part of a new IT security employee at a company and are asked to complete a number of security tasks, for which they receive flags. The students can send the flags they find to a number of different characters to move the story along in different ways. As the story unfolds they find deceit, corruption and ultimately murder, and their choices lead them to one of three different endings. Our framework for running the story and the exercises is completely contained in a single VM, which the students each download at the start of the course. This means that no backend or cloud support is needed. We report on the results of qualitative and quantitative evaluations of the course that provides evidence that the story increased student engagement and results.
Erinn Atwater, Cecylia Bocovich, Urs Hengartner, and Ian Goldberg, University of Waterloo
This paper presents Netsim, a web-based game intended to teach high school aged children the basics of network routing and how common attacks are performed against it by hackers. Netsim is implemented in the form of a network simulator, with levels depicting how common protocols operate, and accompanying tutorial text explaining the protocol or level. Users craft network packets, with a focus on manipulating the header fields, and inject them into the network via computers they control. Goals of the game include spoofing a source address to steal data, or inducing a smurf attack to perform a distributed denial of service.
We present a technical description of the game and how it is implemented. We provide a case study of our experiences running the game as a workshop for both high schoolers and educators several times, and the improvements we made to Netsim as a result. Netsim is available free and open source, and is also available as a hosted webapp that is free for users to access.
12:30 pm–2:00 pm
2:00 pm–3:30 pm
Developing Classroom Exercises
Session chair: Wu-chang Feng, Portland State University
Richard Weiss, The Evergreen State College; Jens Mache, Lewis and Clark College; Michael Locasto, SRI
Total Recon is a hands-on cybersecurity exercise designed to teach about network reconnaissance, using a movie theme to make it more exciting for students. Students use nmap and netcat (nc) to investigate hosts on a large network. The multiple levels of the game provide scaffolding that allows students with a wide range of preparation to play the game. The exercise is implemented in the EDURange framework, and according to our surveys, both students and faculty have found the exercises to be very engaging. This short paper describes both the EDURange framework and the Total Recon exercise.
Security Scenario Generator (SecGen): A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events
Z. Cliffe Schreuders, Thomas Shaw, Mohammad Shan-A-Khuda, Gajendra Ravichandran, and Jason Keighley, Leeds Beckett University; Mihai Ordean, University of Birmingham
Computer security students benefit from hands-on experience applying security tools and techniques to attack and defend vulnerable systems. Virtual machines (VMs) provide an effective way of sharing targets for hacking. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been "solved" there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion.
Security Scenario Generator (SecGen) can build complex VMs based on randomised scenarios, with a number of diverse use-cases, including: building networks of VMs with randomised services and in-thewild vulnerabilities and with themed content, which can form the basis of penetration testing activities; VMs for educational lab use; and VMs with randomised CTF challenges. SecGen has a modular architecture which can dynamically generate challenges by nesting modules, and a hints generation system, which is designed to provide scaffolding for novice security students to make progress on complex challenges. SecGen has been used for teaching at universities, and hosting a recent UK-wide CTF event.
Cynthia E. Irvine, Michael F. Thompson, Michael McCarrin, and Jean Khosalim, Naval Postgraduate School
Successful lab designs are a valuable resource that should be re-used and shared among educators and between institutions. A collaborative, community-sourced design effort maximizes the benefit of the effort and expertise required to build and test an effective lab exercise. Unfortunately, infrastructure requirements, heterogeneous operating environments, and the desire to incentivize individual student work pose significant challenges that necessitate frequent updating, redesigning and retesting of assignments, creating a significant maintenance burden. To address these challenges, we present Labtainers: a container-based framework for the development, deployment and assessment of Linux-based cyber security lab exercises. Docker containers present a consistent environment that reduces the need for frequent updates, but with considerably less overhead than VMbased approaches. This enables a modest laptop to host labs consisting of multiple networked components. As such, the Labtainers framework is able to simulate a variety of security-relevant scenarios on a standalone student machine, without the need for elaborate infrastructure. Moreover, Labtainers’ scripting support allows exercises to be customized on a per-student basis, then collected and evaluated automatically on the instructor machine. This capability enables the instructor to assign exercises where each solution is unique to the student with little or no increase in complexity of lab setup or assessment.
William Johnson, Irfan Ahmed, and Vassil Roussev, University of New Orleans; Cynthia B. Lee, Stanford University
Digital forensics can be a difficult discipline to teach effectively because of its interdisciplinary nature, closely integrating law and computer science. Prior research in Physics and Computer Science has shown that the traditional lecture approach is inadequate for the task of provoking students’ thought-processes and systematically engaging them in problem-solving during class. Peer instruction is an established pedagogy for addressing some of the challenges of traditional lectures. For this paper, we developed 108 peer instruction questions for a digital forensics curriculum, and evaluated a selection of the questions by holding a condensed computer forensics workshop for university students. The evaluation results show that peer instruction helps students understand the targeted digital forensics concepts, and that 91% of students would recommend that other instructors use peer instruction.
3:30 pm–4:00 pm
Break with Refreshments
4:00 pm–5:00 pm
Awais Rashid, Lancaster University, UK; George Danezis, University College London, UK; Wouter Joosen, KU Leuven, Belgium
This panel is associated with a new, multi-partner effort to develop a cyber security body of knowledge (http://www.cybok.org/). The project seeks to address key questions like: What is in and out of scope of such a CyBOK? What essential knowledge in computer science and other disciplines should be pre-requisite for a CyBOK? This will be an interactive panel and audience feedback will be actively sought for the CyBOK project.
5:00 pm–6:00 pm
Session Chair: Cynthia Irvine, Naval Postgraduate School
- Motivating learning: Teaching communications security with social movements
Glencora Borradaile, Oregon State University
- Evaluating Online Security Training for Journalists Through the Lens of Learning Science
Mahdi Nasrullah Al-Ameen, Clemson University; Elizabeth Anne Watkins, Columbia University; Byron Lowens, Clemson University; Franziska Roesner, University of Washington; Kelly Caine, Clemson University; Susan E. Mcgregor, Columbia University
- Experiences with CTFd in the Classroom
Zachary Peterson, Cal Poly, San Luis Obispo
- Decisions & Disruptions: A tabletop game for ICS security education
Awais Rashid, Lancaster University
- Risk vs Reward: the use of raw data sources within undergraduate course in forensic training
Anthony Serapiglia, Saint Vincent College