Teaching the security mindset with reference monitors

Justin Cappos, Richard Weiss

    Research output: Contribution to conferencePaperpeer-review


    One of the central skills in computer security is reasoning about how programs fail. As a result, computer security necessarily involves thinking about the corner cases that arise when software executes. An unfortunate side effect of this is that computer security assignments typically necessitate deep understanding of a topic, such as how the stack is laid out in memory or how web applications interact with databases. This work presents a series of assignments that require very little background knowledge from students, yet provide them with the ability to reason about failures in programs. In this set of assignments, students implement two very simple programs in a high-level language (Python). Students first implement a reference monitor that tries to uphold a security property within a sandbox. For the second portion, the students are provided each others' reference monitors and then write attack code to try to bypass the reference monitors. By leveraging a Python-based sandbox, student code is isolated cleanly, which simplifies development and grading. These assignments have been used in about a dozen classes in a range of environments, including a research university, online classes, and a four year liberal arts school. Student and instructor feedback has been overwhelmingly positive. Furthermore, survey results demonstrate that after a 2-3 week module, 76% of the students who did not understand reference monitors and access control learned these key security concepts.

    Original languageEnglish (US)
    Number of pages6
    StatePublished - 2014
    Event45th ACM Technical Symposium on Computer Science Education, SIGCSE 2014 - Atlanta, GA, United States
    Duration: Mar 5 2014Mar 8 2014


    Other45th ACM Technical Symposium on Computer Science Education, SIGCSE 2014
    Country/TerritoryUnited States
    CityAtlanta, GA


    • Access control
    • Python
    • Reference monitor
    • Security

    ASJC Scopus subject areas

    • Computer Science (miscellaneous)


    Dive into the research topics of 'Teaching the security mindset with reference monitors'. Together they form a unique fingerprint.

    Cite this