S5-AS3-2 - Developing and Assessing a Web-based Interactive Visualization Tool to Teach Buffer Overflow Concepts

1. Innovative Practice Full Paper
Jinghua Zhang1 , Xiaohong Yuan2, Jaris Johnson1, Jinsheng Xu2, Mounika Vanamala2
1 Winston-Salem State University
2 North Carolina A&T State University

Historically, buffer overflow has been the number one security vulnerability in applications for many years. More recently, advances in protection methods including non-executable stack, canaries, ASLR, and Windows DEP have made buffer overflow attacks a much smaller security concern in desktop and laptop computers, but they are still a serious issue in embedded systems and micro-controllers. Even with buffer overflow  being less critical in desktop environments, it is still very important to teach students this topic for several reasons. First, although buffer overflow’s impact on code injection on the stack is diminished, programmers are still making mistakes when using buffers and this can still cause significant damages. By teaching buffer overflow to students, we can teach them the importance of input validation and buffer boundary checking. Second, students can learn several important concepts, including how the call stack works, safe vs. unsafe libraries, safe vs. unsafe programming languages, integer overflow, and various protection methods. There are several tools available for teaching buffer overflow attacks, but there are no easily accessible interactive teaching tools to help students understand the concepts. We developed a web-based interactive visualization tool that aims to help students gain a deeper understanding of buffer overflow concepts. There are six learning components that build upon one another as well as an assessment after each component for immediate learning feedback. There is also a space shooter mini-game between each learning component. To evaluate the impact of this online visualization tool on students’ learning, we developed in-game assessments, a pre-test, a post-test and a survey. This tool was used in two classes at two universities in Fall 2019. The classroom experience reports and focus group discussion show that this tool helped students improve their understanding of  buffer overflow concepts.