Undergraduate Cyber Security Course Projects D. Paul Benjamin Computer Science Department Pace University New York, NY 10038 benjamin@pace.edu Charles Border Department of Information Science Rochester Institute of Technology Rochester, NY 14623 cborder@it.rit.edu Robert Montante Department of Mathematics, Computer Science and Statistics Bloomsburg University Bloomsburg, PA 17815 bobmon@bloomu.edu Paul J Wagner (Moderator) Department of Computer Science University of Wisconsin – Eau Claire Eau Claire, WI 54702 wagnerpj@uwec.edu 1 Summary Computer science educators are increasingly being asked to provide education in the area of computer security, and a number of institutions are offering computer security courses and developing computer security programs. However, there is a need for computer security educators to develop “hands-on” projects that enable their students to move beyond a theoretical understanding of the field and develop practical skills that can be used in implementing secure computer systems for their future business and government employers. This 75-minute panel session will discuss current and future ideas for computer security course projects in a typical computer science undergraduate curriculum. The emphasis of this panel is on practical course projects that emphasize issues and techniques in computer security and that can be used either in a stand-alone course on computer security, or as projects in other related courses at the undergraduate level. The panelists will demonstrate a consistency of purpose but also a wide variety of approaches among the projects selected and the courses in which they can be used. The schools represented vary from medium to large state universities to a private college to a large independent institute. The projects to be discussed vary across a number of dimensions. They range from low-level programming exercises (e.g. buffer overflow) to conceptual policy development and implementation (e.g. password policies). The projects deal with computer security from the point of view of the system administrator, the security officer, and the programmer. They touch on a number of other computer science topics, including networking, database systems, and software development, and thus have potential applicability in a variety of courses. The unifying theme of the panel – the desire to provide “off the shelf” computer security course projects that other undergraduate computer science programs can adopt and implement with ease – will be evident throughout. By presenting a wide variety of projects and approaches to achieve this end, it is hoped that any audience participants who wish to create a cyber security thread or project in their own programs will find some ideas to help them. The program for the panel will allow each panelist a maximum of 12 minutes to outline their projects and approaches. The remaining 30 minutes will then be reserved for general discussion and questions and contributions from the audience. 2 D. Paul Benjamin Benjamin’s project is intended to teach the concept of a buffer overflow, and how it can be used to attack a machine. It will also illustrate the usefulness of assembly language programming. This project will be included in our computer architecture course, because that is where we teach assembler programming. It could also be part of an operating system course or a security course. Each student will program a simple function call in C, and then list the assembly language output of the C compiler. A simple alteration of the assembler code will permit the student to return to a different part of the calling code. Then the student will learn how to insert assembler code so that calling the function causes a shell to execute. This