Professional Documents
Culture Documents
Exploring Lawful Hacking As A Possible Answer To The Going Dark #2
Exploring Lawful Hacking As A Possible Answer To The Going Dark #2
ABSTRACT 2. BACKGROUND
We describe open courseware educational materials and a
curriculum advising service for a hands on Offensive Computer
2.1 Need for Offensive Cybersecurity
Security course that addresses realistic and emerging challenges Education
typical of the problems that cybersecurity professionals face in the In cybersecurity, Schneier’s Law states that “Anyone can invent a
fields of incident response, vulnerability analysis, secure security system that he himself cannot break.” Academically,
development and system administration, and that can be integrated offense serves as the analytical tool by which all defense is
into a cybersecurity curriculum for CAE students, and others, to measured. If defenders are not taught the modern analytical tools to
defend our nation and economy against sophisticated criminal and measure defense, they make erroneous conclusions about the state
state sponsored cyber attacks. The focus is on underlying principals of a system’s security, and thus design and certify systems that they
and independent thinking, with students developing their own themselves cannot break. These notions are supported by a recent
cyber defense technical skills and tools. empirical study from RAND Corporation on stockpiles of
weaponized exploits, which reveals the following relevant key
Categories and Subject Descriptors findings [1]:
C.2.0 [Computer/Communication Networks]: Security and The skills and methods used by software developers to
protection. D.2.5/7 [Software Engineering]: Diagnostics, Reverse find vulnerabilities are vastly different from those of
Engineering. K.3.1 [Computers and Education]: Distance vulnerability researchers.
Learning.
Many eyes on open source projects does not make all
General Terms bugs shallow. Linux was found to have weaponized
exploits that enjoyed the longest life expectancy.
Cybersecurity, Offensive Computer Security, Reverse
Engineering, Symbolic Execution, Problem Solving. Crowdsourcing vulnerability hunting, via bug bounties,
is perhaps insufficient to combat exploitation of software.
Keywords The study found that the stockpiled exploits rarely were
Cybersecurity curriculum design, Offensive Computer Security, independently rediscovered, and bug bounties did not
Open courseware, Vulnerability analysis, Weaponized exploits, reduce their expected shelf life.
Capture the Flag (CTF), Incident response. Weaponized exploits for vulnerabilities are killed more
often by code refactor than the developers’ collective
1. INTRODUCTION defensive efforts to find and patch vulnerabilities.
Current academic courseware materials for cybersecurity do not These disconnects beg questions on existing education techniques,
address all the relevant issues that drive the state of cybersecurity. and demonstrate the emerging need for focus on offensive
Additionally, most post-degree professional cybersecurity training cybersecurity and vulnerability research education in universities.
and certification heavily focuses on teaching students to use select
tools, which can be a flawed approach that produces inflexible 2.2 Survey of Cybersecurity Courseware
skills destined to be obsoleted with the tool. Additionally, it is rare There are several open, freely available cybersecurity courseware
for university courses or professional workshops to focus on the materials online. The largest collection of quality material is hosted
deep underlying fundamentals to equip students to be able to at http://opensecuritytraining.info, and contains notable courseware
manually solve offensive cybersecurity issues, or write their own like Intro to ARM, Intro to X86, The Life of Binaries, Reverse
tools to automate the task. The Offensive Computer Security open Engineering Malware, etc. Offensive cybersecurity courseware is
courseware was created at the Florida State University, and shared a subset of cybersecurity courseware and covers vulnerability
freely with academia to address these issues through fundamental research, penetration testing, bug hunting, exploit development,
offensive security and vulnerability research education. This web application exploitation, network exploitation, social
approach has produced students able to develop their own tools, engineering, and physical security attacks. Additionally, there are
find 0-day vulnerabilities, and find vulnerabilities when existing inseparable defensive cybersecurity subjects such as secure
professional tools fail. development, incident response, and digital forensics.
To address emerging curriculum needs in cybersecurity, this paper Few course materials exist for vulnerability research, which is an
shares the creation strategy, maintenance formula, scope, details of area focused on: a) techniques to discover new vulnerabilities, b)
the courseware, and the results from it being shared with educators techniques for exploit development, and c) techniques for
at over 20 universities. mitigating exploits. In addition to Offensive Computer Security, a
very notable course on vulnerability research is the Modern Binary
Exploitation lab courseware created by Rensselaer Polytechnic of the annual beginner CTF events like PicoCTF and CSAW, the
Institute’s RPISEC team1. RPIsec used the Offensive Computer challenges typically are prohibitively difficulty for the beginner
Security courseware in 2014, prior to creating their own course, and CTF player to approach, which is a problem created by exercise
may have used the courseware materials to develop the course. creators attempting to avoid replicating past exercises of previous
years. Therefore, CTF archives are a valuable repository for
3. EMERGING CYBERSECURITY challenges with write-ups that can inspire the quick creation of
CURRICULUM NEEDS derivative or new hands-on exercises.
In our sharing of the courseware and curriculum advising we have For educators, the hosting of CTF challenges is trivial with
identified several key challenges facing the emerging needs of solutions like CTFd, but solution write-ups provide an avenue for
cybersecurity curriculum for educators and students. cheating if CTF exercises are not modified 2. There exists an unmet
3.1.1 Cybersecurity Vocabulary curriculum development opportunity for funding CTF creators to
Students and professionals in software development and cyber- create variant exercises for curriculum use.
security often confound important terms such as bugs,
vulnerabilities, attacks, exploits, payloads, threats, impacts, and
3.1.4 Addressing Impostor Syndrome in
risks. This is a decade-old problem that is still wide-spread today Cybersecurity Students
in education. Introductory software development and computer Impostor syndrome (also known as impostor phenomenon or fraud
science courses need to thoroughly drill these distinct terms. syndrome) pervades throughout all areas of cybersecurity and is
notably common in higher levels of cybersecurity education.
3.1.2 The Challenges of Teaching Offense Furthermore, impostor syndrome is a growing problem in the field.
There are two opposed schools of thought in teaching offensive The syndrome causes individuals to be unable to recognize their
cybersecurity: a) focusing on teaching professional tools that legitimate achievements and be overwhelmed by a persistent fear
students would expect to see in industry, versus b) teaching the that their successes were mere luck or accidents, and that they will
fundamental offensive cybersecurity concepts and skills that allow be exposed as being a “fraud”.
students to manually solve problems and develop their own tools.
The syndrome especially affects high-achieving individuals, and
Both schools have their value and place. However, Ablon and
has lead remarkable, very-high-achieving students in the Offensive
Timothy demonstrate that software development, bug bounty, and
Computer Security course history to abandon cybersecurity or
penetration testing industry tools and methodologies rarely
vulnerability research all together. Cheung et. al. feel that this is a
rediscover, or protect systems from vulnerabilities that professional
common factor limiting participation in CTF and cybersecurity
black hat vulnerability researchers discover and weaponize exploits
competition environments [2]. We feel it is an emerging and critical
for [1]. These empirical results demonstrate that deeper
problem for the field that requires addressing in the earliest stages
vulnerability research skills are needed in industries threatened by
of STEM education. Imposter syndrome is the opposite of the
advanced persistent threats.
Dunning-Kruger effect, which is perhaps equally prevalent in the
The school of tool-use is easier for educators to approach, as field, but is easier to identify and address. The Dunning-Kruger
exercises are easier to set up, content is more readily available, and effect is where individuals overstate and overestimate their own
it requires less of a learning curve. Whereas the school of skills and abilities, leading them to make erroneous conclusions and
“offensive-fundamentals” posseses a steeper learning curve, harder unfortunate choices. However, they lack the competence and
setup of exercises, and educators may find resources more difficult metacognitive ability to see the reality of their situation and
to find and understand. The latter challenges may be prohibitive limitations [5].
for most faculty members, as it requires significant, dedicated focus The complexity, pressure, mystery, and pace of advancement of the
with hands-on, realistic exercises which often are in short supply. cybersecurity field makes it significantly challenging to address
Therefore, students often form “Capture The Flag” (CTF) clubs to these issues for students.
learn, share, and discover offensive cybersecurity skills that they
cannot or may not sufficiently learn in their courses [4]. 4. OFFENSIVE COMPUTER SECURITY
3.1.3 Realistic, Hands-on Exercises CURRICULUM
Cybersecurity students need exposure to hands-on, realistic, and
current challenges representative of problems that professionals 4.1 History
face in the fields of incident response, system administration, The vision of this class is to fill the common gaps left by most
vulnerability research, secure development, and more. However, University security courses, by giving students a deep technical
developing, maintaining, and hosting these exercises can be costly, perspective of how things are attacked and hacked and what
and is an emerging need of the field. defenses and mitigations work. The Offensive Computer Security
curriculum evolved out of several hands-on workshops created for
CTF competitions are increasingly providing this exposure for the Florida State University capture the flag (CTF) team “n0l3ptr”,
students outside their existing courses, and should be evaluated as and was first taught in 2013 as a graduate level elective 3. The
a source for obtaining such challenges to utilize in curriculums. original inspiration for the course and workshops was the NYU
Cybersecurity professionals often collaborate to create and host Poly Penetration Testing and Vulnerability Analysis course, which
CTF competitions on a regular basis such as Ghost in the Shellcode, no longer exists in its original form and evolved into a “CTF Field
DEFCON qualifier CTF, CSAW, and CODEGATE. CTF
challenges can range from academic to realistic to esoteric. Outside
1 3
https://github.com/RPISEC/MBE The original 2013 course can be viewed at:
2
CTFd source code: https://github.com/CTFd/CTFd https://www.cs.fsu.edu/~redwood/OffensiveSecurity/
Guide” resource4. The 2013 course was released online with lecture mitigations against those attacks. We found it best to include
slides, video, and homeworks freely accessible. However, the demonstrations in each lecture.
original Dropbox share for the course materials quickly was
overwhelmed with viewer traffic and we migrated the materials to 4.2.1 Course Objectives and Rationale
YouTube where they remain to this day. Upon completion of the course, students should:
It was updated and taught again in 2014 as an online course with Have found their own 0-day vulnerability and ethically
all lectures being assigned lecture videos5. When the creator, W. disclosed it.
Redwood, graduated he significantly updated the original fork of Know how to identify software flaws discovered through
the course and maintains it at http://hackallthethings.com/. It is still binary and source code auditing.
shared as free open courseware, under the Creative Commons, non- Know how to reverse engineer x86 binaries.
commercial, share-alike, attribution license, and educators can Know how to exploit software flaws (such as injection
adapt, modify, and alter the course materials as needed to fit their flaws, buffer overflows).
curriculum needs. Know how to perform network and host enumeration, as
well as OS and service fingerprinting.
Know how to perform network vulnerability analysis,
penetration and post exploitation.
Know how to effectively report and communicate all of
the above flaws.
The rationale for this course is that cybersecurity training typically
focuses on teaching students to use off-the-shelf tools for Offensive
Computer security, which is a flawed approach that produces
inflexible skills destined to be obsoleted with the tools. The focus
of this course is on the underlying fundamentals, and to equip
students with the technical skills to solve offensive cybersecurity
issues, and write their own tools if necessary. In particular the first
objective, to find and responsibly disclose a 0-day vulnerability,
will train students to find new vulnerabilities, prove that they are in
fact vulnerabilities and report them to get them patched.
4 5
https://trailofbits.github.io/ctf/ The 2014 version of the course is at:
http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/
communicate the vulnerability, to facilitate it getting patched.
These three skills are not possessed or proven by most students
graduating with degrees in cybersecurity or information assurance.
All homeworks were designed to be completed on the student’s
own home PC via virtual machines and external cloud hosting,6
saving precious lab space and network policy headaches from
attack traffic for the course.
6
We utilized the https://hack.me/ cloud for the web exercises.
7 8
Course web site can be found at The course web site can be found at
http://www.cs.fsu.edu/~liux/courses/offensivesec-2015/index.html http://www.cs.fsu.edu/~liux/courses/offensivenetsec/index.html;
; Note that this is not part of the open courseware and some of the again some of the materials on the site are protected.
materials are protected. 9
Available from http://www.secdev.org/projects/scapy/.
We have begun a user satisfaction survey to collect data on faculty 8. REFERENCES
feedback on this courseware, which will be available at a later date. [1] Ablon, Lillian and Timothy Bogart. “Zero Days, Thousands
of Nights: The Life and Times of Zero-Day Vulnerabilities
6. CONCLUSION and Their Exploits.” Santa Monica, CA: RAND Corporation,
We presented the results from our efforts to address core needs in 2017.
cybersecurity curricula with the Offensive Computer Security http://www.rand.org/pubs/research_reports/RR1751.html.
course; however, much more effort is needed collectively to
address the identified emerging needs of the field. When defenders [2] Cheung, Ronald S., et al. "Effectiveness of cybersecurity
are not taught the modern offensive analytical tools to measure competitions." Proceedings of the International Conference
defense, they make erroneous conclusions about the state of a on Security and Management (SAM). The Steering
system’s security, and thus design and certify systems that they Committee of The World Congress in Computer Science,
themselves cannot break. The RAND report shows that the Computer Engineering and Applied Computing
collective efforts of software developers to find and patch (WorldComp), 2012.
vulnerabilities are ineffective at best to combat the 0-day [3] Jon Erickson, Hacking: The Art of Exploitation, 2nd Edition,
vulnerability research performed by advanced persistent threats. If No Starch Press, 2008.
the academic community wishes to reverse this trend, we believe a
fundamental pivot is needed in early courses on software [4] Gavas, Efstratios, Nasir Memon, and Douglas Britton.
development and cybersecurity to adopt the offensive analytical "Winning cybersecurity one challenge at a time." IEEE
skills, tools, and techniques that black hat vulnerability researchers Security & Privacy 10.4 (2012): 75-79.
utilize to find and weaponized 0-day vulnerabilities. [5] Kruger, Justin, and David Dunning. “Unskilled and unaware
of it: how difficulties in recognizing one's own incompetence
7. ACKNOWLEDGMENTS lead to inflated self-assessments.” Journal of personality and
Our special thanks to the following contributors to the courseware, social psychology 77.6 (1999): 1121.
listed in chronological order of contribution: Joshua Lawrence,
Abdullah Raiaan, Mitch Adair, Devin Cook, Hahna Kane Latonick,
and Jason Reynolds.