Developing and Assessing a Web-Based Interactive Visualization Tool to Teach Buffer Overflow Concepts

This Innovative Practice Full Paper presents a new way to teach buffer overflow concepts. Historically, buffer overflow has been the number one security vulnerability in applications for many years. More recently, advances in protection methods including non-executable stack, canaries, ASLR, and Windows DEP have made buffer overflow attacks a much smaller security concern, but they are still a serious issue in embedded systems and micro-controllers. Therefore, it is still very important to teach students this topic. There are several tools available for teaching buffer overflow attacks, but there are no easily accessible interactive teaching tools to help students understand the concepts. We developed a web-based interactive visualization tool that aims to help students gain a deeper understanding of buffer overflow concepts. There are six learning components that build upon one another as well as an assessment after each component for immediate learning feedback. There is also a space shooter mini-game between each learning component. To evaluate the impact of this online visualization tool on students’ learning, we developed in-game assessments, a pre-test, a post-test and a survey. This tool was used in two classes at Winston-Salem State University (WSSU) and North Carolina A&T State University (NC A&T) in Fall 2019. The classroom experience reports and focus group discussion show that this tool helped students improve their understanding of buffer overflow concepts.

[1]  Tadayoshi Kohno,et al.  Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education , 2013, CCS.

[2]  Christopher Herr,et al.  Video Games as a Training Tool to Prepare the Next Generation of Cyber Warriors , 2015, CPR.

[3]  Liu Feifei The principle and prevention of windows buffer overflow , 2012, 2012 7th International Conference on Computer Science & Education (ICCSE).

[4]  Carla E. Brodley,et al.  Detection and prevention of stack buffer overflow attacks , 2005, CACM.

[5]  Victoria Bloom,et al.  Game Based Cyber Security Training: are Serious Games suitable for cyber security training? , 2016, Int. J. Serious Games.

[6]  Huwida E. Said,et al.  Using video games to teach security , 2011, ITiCSE '11.

[7]  David A. Elizondo,et al.  A renewed approach to serious games for cyber security , 2015, 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace.

[8]  Desheng Fu,et al.  Buffer Overflow Exploit and Defensive Techniques , 2012, 2012 Fourth International Conference on Multimedia Information Networking and Security.

[9]  Ian Cullinane,et al.  Cyber security education through gaming cybersecurity games can be interactive, fun, educational and engaging , 2015 .

[10]  Jie Chen,et al.  Bodhi: Detecting Buffer Overflows with a Game , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability Companion.