iota improved design and implementation of a modular and extensible course management system andrew...
TRANSCRIPT
IOTA ImprovedDesign and Implementation of a Modular and
Extensible Course Management System
Andrew Hamilton5th Period
BackgroundBlackboard
Outdated Non-extensible Security holes Disliked
Moodle Support is limited Lacks some features
Iodine Code is complicated Easy to Break existing functionality
Purpose/GoalsDesign/Implement a Web-based framework
Modular Design Easily Extensible Intuitive Interface Standards Compliant Possible Iodine Integration
Quarter 1
Kernel Module
Configuration File
Security Module
Application Security
Login Screen
The Main Site Page
Quarter 2
Python Wrapper Script
Interfaces with Radio via RS-232
Login Module
Authenticates Users and provides session management
control.
Quarter 3
Satellite-Ground Interface
Antenna mounted on dual-axis rotator.
Auto-tracks using SatPC32 running on a Windows Box
Radio currently connected to same Windows Box.
WebSubmissions MySQL DBSQL Query
Admin Approval
Serial Radio/Satellite
Problems/LimitationsSatPC32 (tracker program) only runs on Windows
Communication between Windows (tracker/radio) and Linux
(webserver/MySQL DB) will likely have to be initiated by
Windows
This prevents real-time command sequencing using web
interface. :( (nice feature to have though not critical)
Perhaps hook radio up to Linux box and use Windows only as
tracker (tracker and radio can be separated).
Message SubmissionRequired Features
Page must work without credentials Prevent Automated Submission Prevent/filter double-submissions Submit data to secure DB Optional Enhancements
Allow deletion of quotes by submitter View submitted/previously transmitted messages?
Possible Solutions Make page separate from kernel (outside of kernel security) ReCAPTCHA (by CMU) Search for message in DB and notify if already present Give form INSERT permissions only Generate a unique hash and deliver it to the submitter Output a table of old quotes by date
Spam PreventionFeatures
ReCAPTCHA blocks auto-submissions by random bots
All inputs are escaped before use Email is obfuscated to protect
against harvesting.
reCAPTCHADeveloped by CMU
Works to digitize old books and block bots simultaneously
One of the most secure captchas available today
Provides audio captcha for the visually impaired
Easy to Implement (plugins/libraries)
require_once('recaptchalib.php'); $privatekey = "6LfmUgUAAA.............................."; $resp = recaptcha_check_answer ($privatekey,$_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"],$_POST["recaptcha_response_field"]);
if(!$resp->is_valid) $errors[] = "The reCAPTCHA wasn't entered correctly. Try it again.";
require_once('recaptchalib.php'); $publickey = "6LfmUgUAAAAAAG45AtY6ok6gTLXsncjMaY9YIRrM"; echo recaptcha_get_html($publickey);
Data EscapePrevents various injection attacks against the database
All data is run through an escape_data functionfunction escape_data($mysqli_connection, $data) { if(ini_get('magic_quotes_qpc')) $data = stripslashes($data); $data = mysqli_real_escape_string($mysqli_connection, $data); return $data;} //End of function escape_data()
$fname = escape_data($mysqli_connection, htmlspecialchars($_POST['fname']));
Comic from XKCD (xkcd.com) by Randall Munroe
Email ObfuscationNifty Tool turns plain-text email into the same text but encoded in various bases.
Effective and quick means of preventing email harvestingUser is completely unaffectedReCAPTCHA also offers a more secure (but more obvious)
solution that requires users to solve a CAPTCHA to see the
email.
Users see this
Bots see this<a href="mailto:ahamilto@tjhsst.edu">ahamilto@tjhsst.edu</a>
ConclusionWebsite security is a fairly straightforward solution to provide as a module.
In the future, this system could be expanded to create a
common logon system (same username and password for
different sites, similar to a Google Account).Other features to add are the ability to authenticate against
other systems (Kerberos, LDAP, Certificates).
Any Questions?
