Executive Summary

Project Title: Towards a Security-Aware Undergraduate Computer Science Curriculum

at UMBC

Date: March 19, 2003

Investigator Names:

·  Brian Roberts, Graduate Student @ UMBC,

·  Doug Cress, Graduate Student @ UMBC,

·  John Simmons, Graduate Student @ UMBC,

Keywords: undergraduate education, security modules, secure programming, computer science curriculum

As the usefulness and ubiquity of information technology (IT) has increased, the deployment of poorly-written insecure code has exploded. Hundreds of vulnerabilities are revealed by both security defenders and malicious attackers each year. This ever widening gap between good, secure, software development supposedly taught in schools, and the actual bug-ridden code that is deployed will continue to plague our society and endanger our future.

In order to address this critical problem, our team has taken on the task of analyzing the current curriculum of the three foundational computer science classes required of all students seeking to graduate with a Bachelor’s of Computer Science from UMBC. These classes are CMSC-201 Computer Science I for majors, CMSC-202 Computer Science II for majors, and CMSC-341 Data Structures. After we’ve examined the topics covered by the classes, we will develop specific germane examples and teaching tools that will assist the students to understand where they can start to write more secure code. Additionally we’ll describe the dangers that poor, insecure software development can lead to and point out how they personally, could contribute to the destruction or un-authorized access of important data on the Internet.

After we’ve developed our course modules, designed to encompass a single lecture or additionally condensable to a half lecture, we will meet with current instructors of each of the classes to see how they would use our material to instruct their students and to seek any additional suggestions they might have for improvement. Once we’ve combined all their suggestions into our work we will present the modules to the department for possible inclusion into the base CS curriculum.

Our work is both novel and significant. Novel in that such Information Assurance based education is currently completely lacking from these classes. Any addition of such principals will be new and practical. Significant because of the critical nature that security does play in Information Technology. Hopefully our work will begin to penetrate the general malaise currently directed towards secure programming at the undergraduate level.

Interview Questions for Mr. Frey, Mr. Edleman, Dr. Oates, and Dr. Peng

341 is sort of the 3rd core computer science programming class here at UMBC. Similar security issues and design concerns will be included into the curriculums of 201 and 202. My hope is to augment the 341 curriculum in an un-obtrusive manner, to allow the instructors to incorporate security issues without increasing their work load.

To me some of the most basic security concepts/dangers to make students aware of is:

·  The harm that programming errors and poorly secured code cause

o  Damage to space program (classic ill. of metric/English)

o  widespread cyber-events against companies, gov’t, & education

o  financial impact of stolen credit cards or more serious bank account fraud

·  Possible liability for poorly written code. Can you be sued for insecure code?

·  Common insecure practices

o  un-checked array/vector bounds

o  un-checked input/output conditions

o  use of insecure functions strcpy(), gets(), etc…

·  Common data-structures that can be abused if poorly implemented

Questions/suggestions for places to incorporate security into CMSC-341

I notice that there’s lecture space in the syllabus for an ‘advanced topics’ lecture. Would a single lecture on security at the end of the semester be worth while? Or would it be better to integrate security related slides throughout the course?

There appears to be 5 projects spread throughout the semester.

·  Would a “security hazards that this data structure is prone to” section be appropriate for each project on its description page?

·  Would a security oriented question be appropriate as a third question (or as a replacement) on the question page for each project?

·  Would a security requirement for each project description be a gradable element?

o  i.e. All input should be checked

o  all array bounds must be protected

o  use of the more secure functions and libraries must be included

o  possibly use a tool to statically check for dangerous function calls (ITS4, LCLint, Purify etc..)

·  Would it be instructive to pick a student’s submission at random and remove any identifying characteristics and then show it to the class pointing out the security flaws in it? Of course the author would recognize his/her work, and therefore everyone in the class would be on their toes so that their program is not shown.

·  Would a change to one of the project descriptions to one with more of a security flavor be useful? Of course the project’s focus would continue to be the data structure intended to be taught according to the syllabus.

There appears to be 3 exams. Would it be possible to add a security related question to each or any of the exams?

If you were to incorporate security into the core of UMBC computer science education would you include the topic in 341? If not where would you place such instruction?