Building a Virtual Constructivist Learning Environment for Learning Computing Security and Forensics

Abstract

Practical experience of security and forensic computing is of increasing relevance for student employability. Further, courses related to these topics have increased in student popularity. Learning by doing (or experiential learning) is an effective pedagogical way to help students constructively build up their knowledge related to these courses.

To improve student engagement and employability and make these courses sustainable, the paper has proposed and developed a portable unified constructivist-learning environment using virtualisation technology, and designed a wide spectrum of hands-on materials on both security and forensic computing topics to offer students a great chance to experience experiential learning. The work presented in this paper is a typical exemplar of applying constructivist learning theories into security and forensic computing education and other similar courses. It is a new way to improve and transform undergraduate STEM education.

Keywords:

• computing security and forensics
• constructivist learning
• virtualisation

Introduction

With the increasing demand for specialists in security and forensic computing, many universities have implemented the related topics as mainstream courses at both undergraduate and postgraduate levels. Effective learning on these courses relies heavily on engagement with significant amounts of hands-on exercises, as suggested in constructivist learning theory (Vygotsky 1978, Piaget 2001). Constructivist learning places emphasis on providing the multi-representation of reality and knowledge, and encourages thoughtful reflection on experience. It utilises authentic tasks in a meaningful context rather than abstract instruction out of context, which can help students transfer their skills more easily to the work environment and improve students’ employable skills, such as problem-solving skills based on real-world cases.

Previous efforts have been made to create practical labs in relation to security topics. For example, the work (Tao et al. 2010) mainly focused on security teaching in Web applications. The researchers (Hill et al. 2001, Irvine et al. 2004) developed an example security project and network security labs. Attack-based labs (Micco & Rossman 2002, Wagner & Wudi 2004) used in many security courses were to help students to analyse and discover system vulnerabilities. Some other labs focused on teaching students application skills (Romney & Stevenson 2004, George & Valeva 2006, O’Leary 2006), for example, how to use security tools to enhance system security.

Despite the encouraging work, there are several limitations. Firstly, the existing work only covers limited topics related to security teaching only. To the best of our knowledge, there is little work done in offering forensic computing hands-on labs that could be publicly available for use in UK HEI sector. Secondly, most existing work adopted different techniques and required dedicated special computing environments, which are not standardised. It is time consuming and costly because educators need to invest money and time for the adaptation of the existing materials to their own institutional environments. Students also have to learn different learning environments. This hinders the wider adoption in the HE sectors. Additionally, many security and forensic computing-related labs require super-user privileges. However, no institution will give students super-user privileges on real machines because of the potential dangers.

To improve student engagement and employability (mainly strong problem-solving skills in this context) and make these courses sustainable, the paper has proposed and developed a portable unified constructivist-learning environment using virtualisation technology, and designed a wide spectrum of hands-on materials on both security and forensic computing topics to offer students a great chance to learn by doing, exploring and breaking. As part of our BLOSSOM project funded by The Higher Education Academy (HEA), the work presented in this paper is a typical exemplar of applying constructive learning theory into security and forensic computing education and other similar courses. It is a new way to improve and transform undergraduate STEM education.

Our contributions are as follows:

1. Incorporating both pedagogical and subject aspects into security and forensic computing education for enhancing learning and employability. Our work focuses on both constructivist design rationale and forensic and computing security principles and practical skills, and offers timely, up-to-date hands-on lab exercises for helping students in their professional careers.

2. Providing a unified portable constructivist learning environment. Pedagogically, the learning environment provides multiple real cases to enable students to solve problems and construct knowledge in a meaningful context, which can improve their employable skills. Technically, the project adopts virtualisation technology. The learning environment is implemented using virtual machines that are launched from a file without any requirement for super-user privilege or special purpose facilities. The students can conduct the hands-on exercises on their own personal computers or on any departmental modern PCs. The advantages of using this method are cost-effectiveness, standardisation and portability, which will facilitate its wide spread use in higher education.

3. Providing a complete software product. Our final product integrates software and a set of lab modules, which can be freely downloaded from the project website (http://www.scmdt.mmu.ac.uk/blossom/index.htm) and can be used by any user who is interested in security and forensics subjects.

Rationale and methodology

Computing security and forensics are closely linked with many subject areas such as networking, programming and operating systems. They generally cover a greater diversity of topics when compared to traditional computing science courses. For example, IPSec (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. It is closely linked with both computer networking and security. The students need to first understand how network devices are interconnected and then how the network packets can be securely transferred between devices. It is critical to design materials that can help students develop both their general skills as computer scientists and professional skills as forensic and security specialists. Therefore, our work focuses on the development of a wide spectrum of security and forensic lab modules, which covers not only fundamental security principles and practices, but also general computing principles that help students understand, design, and improve system security and track down the forensics. Pedagogically, our labs are classified into three types of labs: ‘learning by breaking’, ‘learning by doing’ and ‘learning by exploration’. We describe what each category represents in the following sections and a full list of lab modules is detailed in Table 1. Additionally, a glossary of lab terms in relation to security and forensics can be found in Appendix 1.

Learning by breaking

This type of lab enables students to learn from their mistakes. It mainly helps students understand the principles and vulnerabilities of existing systems and applications, to build their own scenarios with flaws of security and forensic computing, and then to solve the problems.

Specific examples of security attack scenarios/exploits are demonstrated along with preventative techniques. These labs exploit the vulnerabilities of a system at different levels, such as operating systems, network protocols and Web applications. Specifically, some examples of our lab modules include:

• Network protocol related attack scenarios: IP (Internet Protocol) fragmentation, performing network attacks using Scapy (2013), etc. From these labs, the students can learn knowledge and skills such as networking, programming and security skills by using Scapy.

• Web-based security: For example, XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery). These security and forensic attack labs aim to help students understand the Web application vulnerabilities and design a secured Web application.

• Operating system related labs: For example, buffer overflow exploitation. Through step-by-step operations in this type of lab, the students can immediately gain experiences, for instance, how the buffer overflow works and how this vulnerability could be prevented. This lab involves programming in languages such as C++.

Learning by doing

The purpose of this type of lab is to reinforce the knowledge students have gained from lectures and to help them to apply it to real life. Students can design and implement security functionalities to harden computer systems based on objectives and various choices. Examples of these labs are:

• Forensic related labs: Steganography and steganalysis, forensic imaging, network forensics, etc. These labs mainly help students understand forensic analysis principles and methods.

• Security related labs: Secure transactions using SSL (Secure Socket Layer), cryptography (symmetric and asymmetric encryption), IPSec (Internet Protocol Security), etc. Students can learn how to encrypt and decrypt messages.

Learning by exploration

This type of lab focuses on both exploring security functionality and collecting and analysing forensic evidence. The labs help students to understand how to collect evidence from applications/components/networks/systems and how to analyse the evidence. For example, questions such as how do you perform ethical hacking? and what is the vulnerability of a system? can be explored. Examples of labs-related forensics and security include:

• Internet forensics: Firefox, Chrome and email analysis. The focus in this type of lab is on the analysis of user histories with different Web browsers.

• Ethical hacking: Based on real-world examples, and offering a valuable opportunity to develop ethical hacking skills, this type of lab explores the nature of system vulnerabilities and how they can be exploited in an ethical way.

• Linux capabilities and Set-UID (set user ID) vulnerability: This type of lab aims to explore vulnerabilities occurring in Linux systems by requiring students to conduct a set of experiments based on real case studies.

A full list of labs is described in Table 1.

Table 1 BLOSSOM lab modules.

ID	Name	Types	Notes
1	BLOSSOM User Guide	User Guide	Use of BLOSSOM
2	Virtual Machine Guide	Prerequisite lab
3	Linux Guide	Prerequisite lab
4	Buffer Overflow	Learning by breaking	Vulnerabilities/security
5	Cross Site Request Forgery (CSRF)	Learning by breaking	Vulnerabilities
6	DNS Pharming	Learning by breaking	Vulnerabilities
7	SQL Injection	Learning by breaking	Vulnerabilities
8	Cross Site Scripting (XSS)	Learning by breaking	Vulnerabilities
9	Automated Forensic Analysis Using Digital Forensic Framework	Learning by doing	Forensics
10	Forensic Imaging and Artifacts Analysis	Learning by doing	Forensics
11	Memory Forensics	Learning by doing	Forensics
12	Network Packet Analysis and Scapy Introduction	Learning by doing	Forensics/security
13	Scapy: Performing Network Attacks	Learning by doing	Forensics/security
14	Python Scripting with Scapy	Learning by doing	Forensics/security
15	Network Attacks	Learning by doing	Forensics/security
16	IPSec	Learning by doing	Security
17	Network Forensics – Network Traffic Analysis	Learning by doing	Forensics/security
18	Steganography & Steganalysis	Learning by doing	Forensics/security
19	Secure Transactions Using SSL	Learning by doing	Security
20	Linux Capabilities & Set-UID Vulnerability	Learning by exploration	Security
21	Introduction to Ethical Hacking	Learning by exploration	Forensics/security
22	Ethical Hacking: Vulnerability Assessment	Learning by exploration	Forensics/security
23	Internet Forensics	Learning by exploration	Forensics/security
24	Network Scanning with Scapy	Learning by exploration	Forensics/security
25	File Content Analysis	Learning by exploration	Forensics
26	Dynamic Content of Websites	Learning by exploration	Foundation for Web Security

Design of a portable virtual platform that lab exercises can run on

To conduct the labs, we have implemented lab modules as virtual instances in the form of files, which are therefore portable. The labs can be conducted on students’ personal computers or on any departmental modern PCs without the need of special computing environments/or of any concerns about super-user privilege. Our final product can be found on our project website (http://www.scmdt.mmu.ac.uk/blossom/index.htm) and is freely available for all users.

A virtual platform means the creation of a virtual machine by using software products (e.g. KVM 2012, Vmware 2012, XEN 2012). A virtual machine, as a guest machine, can run on a physical machine (a host machine). It is implemented by a folder of files and it acts like a real computer. We can create multiple virtual machines on one physical machine depending on the specification of the physical machine (a high-spec machine can host more virtual machines). We can make proper configurations on one or multiple virtual machines for different lab exercises. In our work, we have used the KVM virtualisation platform to develop lab modules along three themes – learning by breaking, learning by doing and learning by exploration and analysis. Several advantages of using virtualisation in the work include:

• Low cost: Apart from the cost associated with staff time, there is no other cost for employing virtualisation techniques. Xen and KVM are open sources. In our work, we have made use of the KVM virtualisation technique for our labs. Together with the unified learning environment, this makes labs affordable and serves to remove barriers to wider adoption.

• A unified portable learning environment: The virtual machines are implemented as virtual instances in the form of files. The lab environment is portable. Students can run the different labs on their own computers or departmental machines. Additionally, students can conduct the labs in a manner that would normally result in breaking the virtual machines without any concerns or worries. This is due to the fact that they can easily restart the labs using a fresh copy of the virtual instances.

• No constraints on super-user privilege: Many security labs need super-user privilege. With the virtual machine, a student can operate as super-user to conduct experiments without posing undue risk to the host machine configuration or network.

Implementation

In order to provide a portable unified learning environment for students, we have chosen an implementation approach based on virtualisation approach. The following subsections describe the implementation detail.

The unified portable learning platform

We have used KVM to realise the virtual platform. KVM is a pair of Linux kernel modules implementing full virtualisation on Linux operating systems for supported processors. One module provides core virtualisation infrastructure and the other provides specific processor vendor support, i.e. for Intel’s VT or AMD’s SVM. A KVM virtual machine operates within a single process on the host whilst a KVM is running. This is a piece of software adapted from the QEMU PC system emulator.

Each lab module mainly consists of two parts: 1) a base virtual image – a customised BLOSSOM image based on Debian Live (2013) where the necessary packages are preinstalled. We have also configured and developed scripts for real-world scenarios and experiment execution. 2) A lab module instruction document which allows students to complete the lab based on the instruction. Our learning platform can be easily configured on a single machine or a networked environment as shown in Figure 1. Figure 2 shows a virtual environment within BLOSSOM that has been created on a lab machine and Figure 3 shows an example of the steps carried out when conducting the network forensics lab.

Figure 1 BLOSSOM portable platform environment a) BLOSSOM – a single machine environment b) BLOSSOM – a network environment.

Figure 2 The BLOSSOM virtualised environment.

Figure 3 An example step of conducting a network forensic lab.

As part of the deliverables of the HEA funded project BLOSSOM (Han 2012), we conducted testing during the classes in the second term. Based on initial feedback for labs, the reflections were good in terms of the knowledge learned and skills gained by the students (some examples are illustrated in the Evaluation section).

The lab modules

During the course of the project, we developed 23 lab modules related to security and forensics. We also added two extra labs as prerequisite labs. All of the labs are described and listed in Table 1, which provides an overview of the lab modules. Please also refer to the glossary of terms in Appendix 1.

Evaluation

According to the project plan, we conducted the first stage test and evaluation on a small-scale by applying some lab modules to the second term class teaching (a large-scale evaluation will be carried out after the completion of the project according to the plan). We then modified the labs based on the students’ feedback as an iterative development of our lab modules (a questionnaire has been created for the feedback). A full list of questions on a large-scale evaluation can be found on the website, http://www.scmdt.mmu.ac.uk/blossom/deliverables.htm (Han 2012), however, we focused mainly on the following three questions:

1. Do you think this lab is useful?

2. How long did you spend on the lab?

3. What kind of knowledge have you gained from the lab?

Figures 4–7 are statistics of some selected tested labs based on the questionnaires. We have tested labs in the class teaching of both the third year students (16) and the second year students (40) respectively.

Figure 4 Feedback related to the question ‘Do you think this lab is useful?’ a) 16 students from the third year b) 16 students from the third year.

Figure 5 Feedback related to the question ‘How long did you spend on the lab?’ a) 16 students from the third year b) 16 students from the third year.

Figure 6 Feedback related to the question ‘Do you think this lab is useful?’ 40 students from the second year.

Figure 7 Feedback related to the question ‘How long did you spend on the lab?’ 40 students from the second year.

Figures 4a) and 4b) and Figures 5a) and 5b) show the evaluation results obtained from 16 students who were studying in the third year. It's also worth noting that these students already have a basic knowledge of Linux and virtualisation which is considered to be a prerequisite for most of these labs. With respect to the first question ‘Do you think this lab is useful?’ all students felt the labs were useful as shown in Figures 4a) and 4b). Most students strongly agreed, for instance, 63% for Scapy-performing network attacks, 50% for steganography and steganalysis. The degree of the challenges and difficulties are various, which were reflected in the responses to the second question ‘How long did you spend on the lab?’, where 50% of students spent one hour and 44% spent almost two hours to complete the lab (see Figures 5a) and 5b)). The main reason is that this lab involves new knowledge about Python programming and Scapy, which proved to be extremely difficult for almost half of the students in the class. Based on this feedback, we have therefore redesigned the tasks to accommodate the academic level of the students and have incorporated the changes into our new release of the software product (please refer to the project website http://www.scmdt.mmu.ac.uk/blossom/deliverables.htm (Han 2012)).

Figure 6 and Figure 7 show the evaluation results obtained from 40 students who were studying in the second year. These students had no prior Linux or virtualisation-related knowledge and the academic level of the second-year students is lower than the third-year students. With regard to the first question, 81% of students felt the lab Ethical Hacking was very useful. The main reason is that we designed real scenarios to allow students to exploit the vulnerabilities and find the security hole of the system step by step. For the second question ‘How long did you spend on this lab?’, 50% of students finished the lab within one hour, whereas 38% of students spent two hours on the lab. The main reason for this is that the students first had to absorb some basic knowledge about Linux and virtualisation before starting the lab, which therefore took a longer time to complete.

With respect to the question ‘What knowledge have you learned?’, the students’ answers were very positive. The learned knowledge included not only the security and forensic principles but also general computing skill (Linux, virtualisation, computer networking, etc.).

Overall, the evaluation results showed the students from both the second and third years were genuinely interested in doing the labs. They enjoyed gaining new knowledge in areas such as Python programming, ethical hacking, steganography and steganalysis, which they had either never covered before or had a lesser understanding of.

Apart from the positive evaluation result directly obtained from the specific labs above, it is also worth mentioning that our computer forensic and security course has been nominated as one of the best courses in the university this year (http://www.staff.mmu.ac.uk/manmetlife/news/view/teaching-awards-2013-the-winners). This nomination also indirectly demonstrates the effectiveness of our proposed work.

Conclusion and future work

Student engagement and employability is key to the success of higher education. This work has incorporated both pedagogical and subject aspects into security and forensic computing education to create a unified portable constructivist-learning environment, and to provide a wider range of timely, up-to-date and hands-on exercises for helping students in their professional careers. Additionally, since the underlying technique of the work is to utilise virtualisation, all labs have been implemented as a file system image (in the form of files), which are portable. The advantages of this method are cost-effectiveness, standardisation and portability, which therefore facilitates its wide spread use in higher education and beyond. We have evaluated the work in the class teaching at both the second-year and the third-year levels, which cover different academic levels of students. The feedback following the labs is very positive and the course has also been nominated as one of the best courses of the year in the university. The lab modules set up real scenarios, which provide a realistic environment for learning and increase the students’ employable skills. We have planned for a full-scale evaluation by engaging the wider community, for example, practitioners in industry, general users and students and lecturers from other HEIs. Specifically:

1. To formally introduce the lab modules to all classes related to security and forensic computing teaching in the coming terms.

2. In order to generate a wider impact, we have set up a project website which is open to any interested individuals to download and learn the security and forensic principles. We have already created questionnaires on the website to collect feedback from users who have downloaded and used our software product.

3. We have communicated with our industry partners and are planning to have a short course on the labs developed.

Our work not only provides a new systematic way to sustain the computer security and forensic courses and to improve and transform undergraduate STEM education, but also offers great opportunities for a wide range of user groups.

Acknowledgements

This work is supported by BLOSSOM, a project funded by The Higher Education Academy (HEA). The authors acknowledge the support from the HEA and from the School of Computing, Mathematics and Digital Technology, Manchester Metropolitan University.

The authors would also like to thank anonymous reviewers who provided constructive comments on the earlier version of the paper.

Appendix 1:

A Glossary of Lab Terms

Table

1	Buffer Overflow: An anomalous case when a program or a process tries to store or write more data to a buffer than it was intended to hold. This is a special case of violation of memory safety.
2	Cross Site Request Forgery (CSRF): An attack which forces an end user to execute unwanted actions on a Web application in which he/she is currently authenticated.
3	DNS Pharming: An attack that redirects a website to another fake website by exploitation of a vulnerability in DNS software.
4	SQL Injection: An attack that exploits a security vulnerability in an application’s software. It is done by insertion or injection of a SQL query in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker).
5	Cross Site Scripting (XSS): An attack that exploits security vulnerability in Web applications. It enables attackers to inject client side script into Web pages viewed by other users.
6	Forensic Imaging: Used to preserve the contents of a custodian hard drive or server. A forensic image is often created using software that is running on a computer forensic examiner’s laptop or lab computer.
7	Memory Forensics: A forensic analysis of a computer’s memory dump.
8	Scapy: An interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
9	IPSec: An Internet Protocol (IP) Security for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session.
10	Steganography: The art and science of hiding information by embedding messages within other, seemingly harmless messages.
11	Steganalysis: The art and science of detecting messages hidden using steganography.
12	SSL: Cryptographic protocols that provide communication security over the Internet.
13	Ethical Hacking: Aims to improve the security of a system by finding security flaws and fixing them in a professional way. The hackers are professionals and usually sign contracts with the organisations before conducting the evaluation.
14	Set-UID Vulnerability: A Unix access right flag that allows users to run an executable with the permissions of the executable’s owner or group respectively and to change behaviour in directions. Its vulnerability consists in using SetUID to run as root by an attacker.