The SFS Summer Research Study at UMBC: Project-Based Learning Inspires Cybersecurity Students

No Thumbnail Available

Links to Files

https://arxiv.org/abs/1811.04794

Permanent Link

http://hdl.handle.net/11603/14295

Collections

UMBC Center for Cybersecurity
About UMBC and Its People
UMBC Center for Information Security and Assurance (CISA)
UMBC Education Department
UMBC Faculty Collection
UMBC Instructional Technology & New Media
Load more

Author/Creator

Author/Creator ORCID

Date

2018-11-12

Type of Work

journal articles preprints
Text

Department

Program

Citation of Original Publication

Alan Sherman, et.al, The SFS Summer Research Study at UMBC: Project-Based Learning Inspires Cybersecurity Students, Cryptography and Security, 2018, https://arxiv.org/abs/1811.04794

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Subjects

Code injection
computer and network security
cybersecurity
CyberCorps: Scholarship for Service (SFS)
firewalls
NetAdmin
project-based learning
record overflow
security evaluation
UMBC SFS Summer Research Study
UMBC Federal Cybercorps Scholarship for Service (SFS)

Abstract

May 30-June 2, 2017, Scholarship for Service (SFS) scholars at the University of Maryland, Baltimore County (UMBC) analyzed the security of a targeted aspect of the UMBC computer systems. During this hands-on study, with complete access to source code, students identified vulnerabilities, devised and implemented exploits, and suggested mitigations. As part of a pioneering program at UMBC to extend SFS scholarships to community colleges, the study helped initiate six students from two nearby community colleges, who transferred to UMBC in fall 2017 to complete their four-year degrees in computer science and information systems. The study examined the security of a set of "NetAdmin" custom scripts that enable UMBC faculty and staff to open the UMBC firewall to allow external access to machines they control for research purposes. Students discovered vulnerabilities stemming from weak architectural design, record overflow, and failure to sanitize inputs properly. For example, they implemented a record-overflow and code-injection exploit that exfiltrated the vital API key of the UMBC firewall. This report summarizes student activities and findings, and reflects on lessons learned for students, educators, and system administrators. Our students found the collaborative experience inspirational, students and educators appreciated the authentic case study, and IT administrators gained access to future employees and received free recommendations for improving the security of their systems. We hope that other universities can benefit from our motivational and educational strategy of teaming educators and system administrators to engage students in active project-based learning centering on focused questions about their university computer systems.