ABSTRACT
The C language is used to develop software that implements fundamental mechanisms used by higher level software to protect data. Yet C continues to be difficult for students to understand and use securely, and integer errors continue to create vulnerabilities. In fact, \em Integer Overflow or Wraparound is listed at position 11 in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. This paper presents the Expression Evaluation (EE) visualization tool that helps students understand the type conversions that take place implicitly within a C program. This tool depicts step-wise the coercions that take place within the compilation of an expression with mixed integer type operands. This enables students to create unlimited examples to test their understanding. We present the results of our evaluation of EE in both a lower-level class and an upper-level class. We also present the results of an expanded evaluation of a complementary integer security education tool Integer Representation (IR) in these same classes. This represents evaluation of IR across a wider student audience; prior evaluations of the IR tool were within classes focused on low-level programming and security. Our evaluation results showed that students in an upper-level course improved their understanding in both IR and EE more significantly than students in a lower-level course. As shown by the data collected from both classes, our tools were easy to use and very effective.
- James W. Benham. 1992. A Geometric Approach to Presenting Computer Representations of Integers. SIGCSE Bull. 24, 4 (Dec. 1992), 27--28.Google ScholarDigital Library
- Derek Ebeling and Rob Santos. 2007. Public Key Infrastructure Visualization. J. Comput. Sci. Coll. 23, 1 (Oct. 2007), 247--254.Google ScholarDigital Library
- Yi Gu, Nilufer Onder, Ching-Kuang Shene, and Chaoli Wang. 2014. FPAvisual: A Tool for Visualizing the Effects of Floating-Point Finite-Precision Arithmetic. In Proceedings of American Society for Engineering Education Annual Conference. Indianapolis, IN.Google ScholarCross Ref
- Niakam Kazemi and Shiva Azadegan. 2010. IPsecLite: A Tool for Teaching Security Concepts. In Proceedings of the 41st ACM Technical Symposium on Computer Science Education (Milwaukee, Wisconsin, USA) (SIGCSE '10). ACM, New York, NY, USA, 138--142.Google ScholarDigital Library
- Yifei Li, Steve Carr, Jean Mayo, Ching-Kuang Shene, and Chaoli Wang. 2012. DTEvisual: A Visualization System for Teaching Access Control Using Domain Type Enforcement. Journal of Computing Science in College 28, 1 (October 2012), 125--132.Google ScholarDigital Library
- Jun Ma, Jun Tao, Melissa Keranen, Jean Mayo, Ching-Kuang Shene, and Chaoli Wang. 2014. SHAvisual: A Secure Hash Algorithm Visualization Tool. In Proceedings of the 2014 conference on Innovation & technology in computer science education. ACM, 338--338.Google ScholarDigital Library
- Joerg Herter Robert C. Seacord. 2020. INT02-C. Understand integer conversion rules. https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+ integer+conversion+rules. Last accessed 08-Jan-2021.Google Scholar
- Dino Schweitzer and Leemon C. Baird III. 2006. The design and use of interactive visualization applets for teaching ciphers. In Proceedings of the 7th Annual IEEE Information Assurance Workshop. 69--75.Google Scholar
- Dino Schweitzer, Mike Collins, and Leemon C Baird III. 2007. A visual approach to teaching formal models in security. In Proceedings of the 11th Colloquium for Information Systems Security Education (CISSE). 69--75.Google Scholar
- Dino L. Schweitzer, Leemon C. Baird III, Mike D. Collins, Wayne C. Brown, and Mike Sherman. 2006. GRASP: A visualization tool for teaching security protocols. In Proceedings of the 10th Colloquium for Information Systems Security Education. 75--81.Google Scholar
- Jun Tao, Jun Ma, Melissa Keranan, Jean Mayo, and Ching-Kuang Shene. 2012. ECvisual: A Visualization Tool for Elliptic Curve Based Ciphers. In roceedings of the 43rd ACM technical symposium on Computer Science Education. ACM, 571--576.Google Scholar
- Jun Tao, Jun Ma, Melissa Keranen, Jean Mayo, and Ching-Kuang Shene. 2011. DESvisual: A Visualization Tool for the DES Cipher. Journal of Computing Science in College 27, 1 (October 2011), 81--89.Google Scholar
- Jun Tao, Jun Ma, Melissa Keranen, Jean Mayo, Ching-Kuang Shene, and Chaoli Wang. 2014. RSAvisual: A Visualization Tool for the RSA Cipher. In Proceedings of the 45th ACM technical symposium on Computer science education. ACM, 635--640.Google ScholarDigital Library
- Kenneth Vollmar and Pete Sanderson. 2006. MARS: An Education-oriented MIPS Assembly Language Simulator. In Proceedings of the 37th SIGCSE Technical Symposium on Computer Science Education (Houston, Texas, USA) (SIGCSE '06). ACM, 239--243.Google ScholarDigital Library
- James Walker, Man Wang, Steven Carr, Jean Mayo, and Ching-Kuang Shene. 2019. Teaching Integer Security Using Simple Visualizations. In Proceedings of the 2019 ACM Conference on Innovation and Technology in Computer Science Education (Aberdeen, Scotland Uk) (ITiCSE '19). ACM, 513--519.Google ScholarDigital Library
- James Walker, Man Wang, Steve Carr, Jean Mayo, and Ching-Kuang Shene. 2020. A System for Visualizing the Process Address Space in the Context of Teaching Secure Coding in C (SIGCSE '20). ACM, 1033--1039.Google Scholar
- Man Wang, Steve Carr, Jean Mayo, Ching-Kuang Shene, and Chaoli Wang. 2014. MLSvisual: A Visualization Tool for Teaching Access Control Using Multi-Level Security. In Proceedings of the 2014 conference on Innovation & technology in computer science education. ACM, 93--98.Google ScholarDigital Library
- Justin Warner, David Musielewicz, G. Parks Masters, Taylor Verett, Robert Winchester, and Steven Fulton. 2010. Network Firewall Visualization in the Classroom. J. Comput. Sci. Coll. 26, 2 (Dec. 2010), 88--96.Google ScholarDigital Library
- Cecile Yehezkel, Mordechai Ben-Ari, and Tommy Dreyfus. 2005. Computer Architecture and Mental Models. In Proceedings of the 36th SIGCSE Technical Symposium on Computer Science Education (St. Louis, Missouri, USA) (SIGCSE '05). ACM, 101--105.Google ScholarDigital Library
- Xiaohong Yuan, Percy Vega, Yaseen Qadah, Ricky Archer, Huiming Yu, and Jinsheng Xu. 2010. Visualization Tools for Teaching Computer Security. Trans. Comput. Educ. 9, 4 (Jan. 2010), 20:1--20:28.Google Scholar
Index Terms
- Design and Use of a Visualization for Teaching Integer Coercion
Recommendations
A Visualization for Teaching Integer Coercion
ITiCSE '21: Proceedings of the 26th ACM Conference on Innovation and Technology in Computer Science Education V. 2Integer errors continue to create vulnerabilities. In fact, Integer Overflow or Wraparound is listed at position 11 in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. This poster describes the Expression Evaluation (EE) visualization tool that ...
Teaching Integer Security Using Simple Visualizations
ITiCSE '19: Proceedings of the 2019 ACM Conference on Innovation and Technology in Computer Science EducationInteger errors can introduce significant vulnerabilities into C programs. We have developed a program analysis and visualization tool to help students understand integer representation and type conversions with the goal to help students avoid ...
A Capstone Design Project for Teaching Cybersecurity to Non-technical Users
SIGITE '16: Proceedings of the 17th Annual Conference on Information Technology EducationThis paper presents a multi-year undergraduate computing capstone project that holistically contributes to the development of cybersecurity knowledge and skills in non-computing high school and college students. We describe the student-built Vulnerable ...
Comments