diff --git a/bibliography.bib b/bibliography.bib index 6590bc7..51feecd 100644 --- a/bibliography.bib +++ b/bibliography.bib @@ -1,16 +1,86 @@ -@phdthesis{balint_bokros_informatikai_2017, - title={Informatikai oktató rendszer funkcionalitásának bővítése azonos témakört bemutató feladatok hatékony prezentálásához}, +@thesis{BokaThesis, + title={Expanding the functionality of an e-learning platform to effectively present challenges in the same topic}, language={hungarian}, author={Bálint Bokros}, month=dec, year={2017} } -@misc{AkosFacebook, +@online{AkosFacebook, title={The three fatal bugs behind the Facebook breach}, - howpublished="\url{https://blog.avatao.com//The-three-fatal-bugs-behind-the-Facebook-breach/}", + url={https://blog.avatao.com//The-three-fatal-bugs-behind-the-Facebook-breach/}, + journal={Avatao blog}, author={Ákos Hajba}, language={english}, month=oct, year={2018} } + +@online{FacebookBreach, + title={Facebook Security Update}, + url={https://newsroom.fb.com/news/2018/09/security-update/}, + journal={Facebook newsroom}, + author={Guy Rosen}, + language={english}, + month=sep, + year={2018} +} + +@online{ChinaSurv, + title={Inside China’s Dystopian Dreams: AI, Shame and Lots of Cameras}, + url={https://www.nytimes.com/2018/07/08/business/china-surveillance-technology.html}, + journal={The New York Times}, + language={english}, + author={Paul Mozur}, + month=jul, + year={2018} +} + +@online{ChinaCredit, + title={China has started ranking citizens with a creepy 'social credit' system}, + url={https://www.businessinsider.com/china-social-credit-system-punishments-and-rewards-explained-2018-4}, + journal={Business Insider}, + language={english}, + author={Alexandra Ma}, + month=oct, + year={2018}, +} + +@online{SelfDriving, + title={Hackers Are the Real Obstacle for Self-Driving Vehicles}, + url={https://www.technologyreview.com/s/608618/hackers-are-the-real-obstacle-for-self-driving-vehicles/}, + journal={MIT Technology Review}, + language={english}, + author={Simson Garfinkel}, + month=aug, + year={2017}, +} + +@online{Android, + title={Android 'API breaking' vulnerability leaks device data, allows user tracking}, + url={https://www.zdnet.com/article/android-operating-system-vulnerability-leaks-device-data-allows-user-tracking/}, + journal={ZDNet}, + language={english}, + author={Charlie Osborne}, + month=aug, + year={2018}, +} + +@online{IoTDDoS, + title={Massive Dyn DDOS Attack: Experts Blame Smart Fridges, DVRs And Other IoT Devices Why Your Internet Went Down}, + url={https://www.techtimes.com/articles/183339/20161024/massive-dyn-ddos-attack-experts-blame-smart-fridges-dvrs-and-other-iot-devices-why-your-internet-went-down.htm}, + journal={Tech Times}, + language={english}, + author={Horia Ungureanu}, + month=oct, + year={2016}, +} + +@online{ITSecEdu, + title={Education as a key factor in the process of building cybersecurity}, + url={https://2017.cybersecforum.eu/files/2016/12/ecj_vol2_issue1_i.albrycht_education_as_a_key_in_the_process_of_building_cybersecurity.pdf}, + language={english}, + author={IZABELA ALBRYCHT}, + year={2016}, +} + diff --git a/content/introduction.tex b/content/introduction.tex index 288472f..1c1e1b3 100644 --- a/content/introduction.tex +++ b/content/introduction.tex @@ -1,5 +1,7 @@ \chapter{Introduction} +\section{Project justification} + As the world is being completely engulfed by software, the need for accessible, but high quality learning materials on software engineering and especially secure software engineering is on the rise. @@ -7,22 +9,43 @@ While we are enjoying the comfort that information technology provides us, we of about the risks involved in relying so much on software in our everyday lives. When taking a look on recent events, such as a cyber arms race taking place between leading powers, 50 million Facebook accounts being breached -due to the incorrect handling of access tokens, or how China is building an Orwellian state -of total digital surveillance it becomes clear that security and privacy in the IT sector +due to the incorrect handling of access tokens \cite{FacebookBreach}, +or how China is building an Orwellian state of total digital surveillance +\cite{ChinaSurv}\cite{ChinaCredit}, +it becomes clear that security and privacy in the IT sector is more important now than ever. With all of our data slowly crawling towards the cloud and an IoT revolution on our necks, we as an industry must face the music and start actually doing something before we enter -a new age of digital wild west. +a new age of digital wild west, which could involve us running around in vulnerable self +driving cars\cite{SelfDriving} with power over life and death, while exposing all our +sensitive data through our ill-protected smart phones\cite{Android} and IoT devices\cite{IoTDDoS}. +What a time to be alive. Unless we want to disconnect all our devices from all networks and ban USB sticks, the best -lines of defense are going to be people -- a new generation of \emph{security conscious} users and -developers. +lines of defense are going to be people -- a new generation of \emph{security conscious} +users and developers. + +Among many other things outside IT, this is only possible with education\cite{ITSecEdu}. +We need to come up with engaging, addictive and fun ways to learn (and teach), so that +more and more people will be motivated to do so and the drive to acquire and share +knowledge is something that comes naturally, rather than something we have to struggle for. +I believe that this is something that \emph{can} and \emph{should} be applied to +everything we do as a society. +The only thing we can hope and work for is to become better and better as time +and generations pass. +We \emph{must} do better, and education is the way forward. + +The short term goal of this project -- and thesis -- is to provide a new angle +in the education of software engineering, especially secure software engineering +based on the aspirations above, with the long term goal of bringing something new +to the table in the matter of IT education as a whole +(not just developers, but users as well). + +\section{A Short Introduction to Avatao} The goal of Avatao as a company is to help software developers in building a \emph{culture} of security amongst themselves, with the vision that if the world is going to be taken over by software no matter what, that software might as well be \emph{secure software}. -Unless we want to run around in vulnerable self driving cars while exposing all our sensitive -data through our ill-protected smart phones that is. To achieve this goal we have been working on an online e-learning platform with hundreds\ \footnote{654 exercises as of today, to be exact} of hands-on learning exercises to help students and professionals @@ -30,7 +53,7 @@ master IT security, collaborating with universities around the world and providing a solution for companies in building \emph{security consciousness} amongst their developer teams. -Since starting out we have amassed some experience in building fun challenges and tutorials +Since starting out we have amassed some experience in building fun challenges that showcase the exploitation and fixing of relevant security vulnerabilites in code or configuration. Traditionally these exercises revolved around offensive and defensive tasks, with challenges @@ -44,28 +67,119 @@ and understand the ways they augment each other. We often recreate real world scenarios based on incident reports released by companies for added authenticity and relevance \cite{AkosFacebook}. Our challenges usually involve some sort of website acting as frontend for the vulnerable -application, or require the user to connect to a server using SSH. +application, or require the user to connect using SSH. + +The Avatao platform relies heavily on Docker containers to spawn challenges, +which makes it extremely flexible in terms of what is possible to do when creating +content. +Essentially anything that you can do inside a Docker conainer can be done on +the Avatao platform as well. +Currently each challenge is implemented as a set of Docker images residing inside a +Git repository exclusive to the specific challenge in mind. +Our content creation wokflow enables developers to create such repositories on GitHub, +which are automatically set up with the proper webhooks, so that when their content gets +reviewed (and their feature branches merged), their changes will go live on the +platform as well. +In the future we also plan on supporting the use of virtual machines to implement +challenges, which could further increase this fexibility by addig the possiblity to do +things like exercises involving the use of Docker or Windows based challenges. + +\section{Emergence} While working as a content creator I have stumbled into the idea of automating the completion -of challenges for QA\footnote{Quality assurrance} and demo purposes\ +of challenges for QA\footnote{Quality Assurrance} and demo purposes\ \footnote{I used to record short videos or GIFs to showcase my content to management}. In a certain scenario I was required to integrate a web based terminal emulator in a -frontend application to improve user experience by making it possible to use a terminal +frontend application to improve user experience by making it possible to use a shell right on the website rather than having to connect through SSH. After I got this working I was looking into writing hacky bash scripts to automate the steps required to complete the challenge in order to make it easier for me to record the solution, -as I have often found myself recording over and over for a demo without any mistakes. -During the time I was playing around with this idea, researching possible solutions I've found -a hidden gem of a project on GitHub called \emph{demo-magic}\ +as I have often found myself recording over and over again for a demo without any mistakes. +During the time I was playing around with this idea, researching possible solutions have led me +to a hidden gem of a project on GitHub called \texttt{demo-magic}\ \footnote{\href{https://github.com/paxtonhare/demo-magic}{https://github.com/paxtonhare/demo-magic}}, which is esentially a bash script that simulates someone typing into a terminal and executing commands. -I have created a fork of the project and integrated it into my challenge. +I have created a fork\ +\footnote{The source code is available at +\href{https://git.strongds.hu/mrtoth/demo.sh/src/master/demo.sh}{https://git.strongds.hu/mrtoth/demo.sh/src/master/demo.sh}} +of the project and integrated it into my challenge. Soon after recording demo videos was not even necessary anymore, as I have started to distribute the solution script with the challenge code itself, making it toggleable using build-time variables. +Should the solution script be enabled, the challenge would automatically start\ +\footnote{I did this by injecting the solution script into the user's \texttt{.bashrc} file} +completing itself in the terminal integrated into it's frontend, often even explaining the +commands executed during the solution process. + +\lstinputlisting[ + language=bash, + caption={Example for a solution script}, + captionpos=b +]{listings/demosh.example} I was quite pleased with myself, no longer having to do the busywork of recording videos, but what I did not know was that I have accidentally -did something far more than a hacky bash script solving my challenges, as this little script -was the basis of the idea for the project we call \emph{Tutorial Framework} or just \emph{TFW}. +did something far more than a hacky bash script solving challenges, as this little script +would help formulate the idea of the project \emph{Tutorial Framework} or just \emph{TFW}. + +\section{Introducing the Tutorial Framework} + +The whole ''challenges that solve themselves'' thing seemed like an idea that has great +potential if developed further. +We have envisioned something that resembles a learning video, but it is real, actual +software running and interacting with itself to showcase different topics to the user. +Something that would allow the users to stop at any given time, take a breath, interact +with the environment on their own (i.e. take a look a the directory structure or a file, +try what happens if a command is executed somewhat differently, etc.) and then +continue on with the tutorial. +We wanted to create something that would feel like if an actual teacher was standing +next to you, explaining topics to you in your own pace, while showing you how to solve +a related task. +This teacher scenario would allow you to take the helm sometimes and try applying +your newfound skills in action immediately. + +For example a chatbot would show you how to encrypt a file using GnuGP, +then it would ask you to encrypt an other file similarly. +After this the bot could show you how to a configure a database server and then +ask you to write a configuration file yourself and then encrypt it because it might +contain sensitive data such as open ports, usernames and such. + +Technically this is far from trivial however: we would have to keep track of the user's +progress at all times, be able to actually check if the user has successfully encrypted +the file by decrypting it and then checking if the configuration file is valid or not +(this would practically require trying to start a database server with it). +After all this we would still have to offer \emph{relevant} and helpful assistance if +something went wrong. + +Even if we did all this, we would still need a way to integrate this whole thing into +a web based frontend with a file editor, terminal, chat window and stuff like that. +Turns out that today all this can be done by writing a few hundred lines of Python +code which uses the Tutorial Framework. + +\section{Early Development} + +Around a year ago a good friend and collage of mine Bálint Bokros, the CTO of our company +Gábor Pék and myself would start designing the TFW architecture. +In this early phase we would research solutions for the issues described such as +tracking user progress, process management, interprocess communication +and making a web based frontend application capable of communicatig with processes running +inside a Docker container. + +After seeing some sort of light at the end of the tunnel regarding what technologies could +be applied and coming up with several good alternatives Bálint Bokros was tasked to +develop the first proof of concept and lay the foundations of the framework in his +Bachelor's Thesis\cite{BokaThesis}. + +Although not much of the original code base has remained due to intense refactoring +and all around changes, the result would serve as a solid foundation for further development, +and the architecture is mostly the same to this day. +The resulting code would be the first working POC\ +\footnote{Proof of Concept} of the framework showcasing the fixing of an SQL Injection +attack. + +After becoming a full time employee at Avatao I was tasked with developing the project +with Bálint, who was later reassigned to work on the GDPR compliance of the platform. +Thus it became my job to turn the framework into a stable code base ready for +usage by content creators and to implement most of the features that we've envisioned +earlier. diff --git a/listings/demosh.example b/listings/demosh.example new file mode 100644 index 0000000..13c7744 --- /dev/null +++ b/listings/demosh.example @@ -0,0 +1,19 @@ +source demo.sh +type "This is an interactive demo on how to solve this challenge.\n\n" +sleep 1 +type "Note, that you can run the commands pre-typed for you by\ + hitting ENTER (do it now to continue).\n" +wait +clear +type "The website on the right checks whether a user is an administrator\ + or not by comparing the username to the string 'admin'.\n\n" +type "This is very bad practice, for several reasons\ + (other than only allowing a single administrator account to exist).\ + Let's see why:\n\n" +type "This is the non-free binary blob used by the website right here:\n" +execute 'file $(realpath strcmp.out)' +sleep 2 +type "\nThis executable seems to compare strings. Badly:\n" +execute './strcmp.out cats cats' +execute './strcmp.out cat cats' + diff --git a/thesis.tex b/thesis.tex index 9d9dc53..1a037b6 100644 --- a/thesis.tex +++ b/thesis.tex @@ -4,14 +4,22 @@ \usepackage[magyar,english]{babel} \usepackage[defaultlines=10,all]{nowidow} \usepackage{advdate} -\usepackage{cite} -\usepackage{url} \usepackage{hyperref} +\usepackage{listings} +\usepackage{csquotes} +\usepackage{biblatex} +\addbibresource{bibliography.bib} + +\lstset{ + basicstyle=\scriptsize\ttfamily, + showstringspaces=false, + aboveskip=15pt, + belowskip=15pt, +} \setmainfont{Constantia} -\setsansfont{Constantia} -\setmonofont{Constantia} +\setmonofont{DejaVu Sans Mono} \renewcommand{\headrulewidth}{0pt} \fancyhead{} @@ -34,7 +42,8 @@ \include{content/abstract} \include{content/introduction} +\lstlistoflistings + \renewcommand\bibname{References} -\bibliography{bibliography}{} -\bibliographystyle{unsrt} +\printbibliography{} \end{document}