Exploring How Students Solve Open-ended Assignments: A Study of SQL Injection Attempts in a Cybersecurity Course
Authors: 
Charles Koutcheme, 
Artturi Tilanterä, Aleksi Peltonen, Arto Hellas, Lassi HaaranenAuthors Info & Claims
Pages 75 - 81
Abstract
Research into computing and learning how to program has been ongoing for decades. Commonly, this research has been focused on novice learners and the difficulties they encounter, especially during CS1. Cybersecurity is a critical aspect in computing -- as a topic in university education as well as a core skill in the industry. In this study, we investigate how students solve open-ended assignments on a cybersecurity course offered to university students after two years of CS studies. Specifically, we looked at how students perform SQL injection attacks on an web application system, and study to what extent we can characterize the process in which they come up with successful injections. Our results show that there are distinguishable strategies used by individual students who seek to hack the system, where these approaches revolve around exploration and exploitation tactics. We also find evidence of learning due to a more pronounced use of exploitation in a subsequent similar assignment.
References
[1]
Alberto Abelló, M Elena Rodr'iguez, Toni Urp'i, Xavier Burgués, M José Casany, Carme Mart'in, and Carme Quer. 2008. LEARN-SQL: Automatic assessment of SQL based on IMS QTI specification. In 2008 Eighth IEEE International Conference on Advanced Learning Technologies. IEEE, 592--593.
[2]
Charu C. Aggarwal. 2015. Data Mining: The Textbook .Springer, Cham. https://doi.org/10.1007/978--3--319--14142--8
[3]
Alireza Ahadi, Vahid Behbood, Arto Vihavainen, Julia Prior, and Raymond Lister. 2016a. Students' syntactic mistakes in writing seven different types of SQL queries and its application to predicting students' success. In Proceedings of the 47th ACM Technical Symposium on Computing Science Education. ACM, 401--406.
[4]
Alireza Ahadi, Julia Prior, Vahid Behbood, and Raymond Lister. 2015. A quantitative study of the relative difficulty for novices of writing seven different types of SQL queries. In Proceedings of the 2015 ACM Conference on Innovation and Technology in Computer Science Education. ACM, 201--206.
[5]
Alireza Ahadi, Julia Prior, Vahid Behbood, and Raymond Lister. 2016b. Students' semantic mistakes in writing seven different types of SQL queries. In Proceedings of the 2016 ACM Conference on Innovation and Technology in Computer Science Education. ACM, 272--277.
[6]
Nikolaos Alexopoulos, Sheikh Mahbub Habib, Steffen Schulz, and Max Mühlh"auser. 2020. The tip of the iceberg: On the merits of finding security bugs. ACM Transactions on Privacy and Security (TOPS), Vol. 24, 1 (2020), 1--33.
[7]
Christoph Aschwanden and Martha Crosby. 2006. Code scanning patterns in program comprehension. In Proc. of the 39th Hawaii int. conf. on system sciences .
[8]
Micheal Axelsen, A Faye Borthick, and Paul Bowen. 2001. A model for and the effects of information request ambiguity on end-user query performance. ICIS 2001 Proceedings (2001), 68.
[9]
Nada Basit, Abdeltawab Hendawi, Joseph Chen, and Alexander Sun. 2019. A learning platform for SQL injection. In Proceedings of the 50th ACM technical symposium on computer science education. 184--190.
[10]
A Faye Borthick, Paul L Bowen, Donald R Jones, and Michael Hung Kam Tse. 2001. The effects of information request ambiguity and construct incongruence on query development. Decision Support Systems, Vol. 32, 1 (2001), 3--25.
[11]
Stefan Brass and Christian Goldberg. 2006. Semantic errors in SQL queries: A quite complete list. Journal of Systems and Software, Vol. 79, 5 (2006), 630--644.
[12]
Gretchen I Casterella and Leo Vijayasarathy. 2013. An experimental investigation of complexity in database query formulation tasks. Journal of Information Systems Education, Vol. 24, 3 (2013), 6.
[13]
William Crumpler and James A Lewis. 2019. The cybersecurity workforce gap .Center for Strategic and International Studies (CSIS) Washington, DC, USA.
[14]
Simon P Davies. 1991. The role of notation and knowledge representation in the determination of programming strategy: a framework for integrating models of programming behavior. Cognitive Science, Vol. 15, 4 (1991), 547--572.
[15]
Franccoise Détienne. 1995. Design Strategies and Knowledge in Object-oriented Programming: Effects of Experience. Hum.-Comp. Interact., Vol. 10, 2 (1995), 129--169.
[16]
Masoud I El Agha, Abdallah M Jarghon, and Samy S Abu-Naser. 2018. SQL Tutor for Novice Students. (2018).
[17]
CC2020 Task Force. 2020. Computing Curricula 2020: Paradigms for Global Computing Education .Association for Computing Machinery, New York, NY, USA.
[18]
Brendan J. Frey and Delbert Dueck. 2007. Clustering by Passing Messages Between Data Points. Science, Vol. 315 (2007), 972 -- 976.
[19]
Steven Furnell. 2021. The cybersecurity workforce and skills. Computers & Security, Vol. 100 (2021), 102080.
[20]
Vanessa E Ghosh and Asaf Gilboa. 2014. What is a memory schema? A historical perspective on current neuroscience literature. Neuropsych., Vol. 53 (2014), 104--114.
[21]
Juha Helminen, Petri Ihantola, Ville Karavirta, and Lauri Malmi. 2012. How do students solve parsons programming problems? an analysis of interaction traces. In Proceedings of the ninth annual international conference on International computing education research. 119--126.
[22]
Roya Hosseini, Arto Vihavainen, and Peter Brusilovsky. 2014. Exploring problem solving paths in a Java programming course. (2014).
[23]
Alison Hull and Benedict du Boulay. 2015. Motivational and metacognitive feedback in SQL-Tutor. Computer Science Education, Vol. 25, 2 (2015), 238--256.
[24]
Petri Ihantola, Arto Vihavainen, Alireza Ahadi, Matthew Butler, Jürgen Börstler, Stephen H. Edwards, Essi Isohanni, Ari Korhonen, Andrew Petersen, Kelly Rivers, Miguel Ángel Rubio, Judy Sheard, Bronius Skupas, Jaime Spacco, Claudia Szabo, and Daniel Toll. 2015. Educational Data Mining and Learning Analytics in Programming: Literature Review and Case Studies. In Proc. of the 2015 ITiCSE on Working Group Reports (Vilnius, Lithuania) (ITICSE-WGR '15). ACM, 41--63.
[25]
H Laine. 2001. SQL-trainer. In Proceedings of Kolin Kolistelut/Koli Calling-First Annual Baltic Conference on Computer Science Education, Report A-2002, Vol. 1. 13--17.
[26]
Juho Leinonen, Nea Pirttinen, and Arto Hellas. 2020. Crowdsourcing Content Creation for SQL Practice. In Proceedings of the 2020 ACM Conference on Innovation and Technology in Computer Science Education . 349--355.
[27]
Robert L Leitheiser and Salvatore T March. 1996. The influence of database structure representation on database system learning and use. Journal of Management Information Systems, Vol. 12, 4 (1996), 187--213.
[28]
Raymond Lister, Beth Simon, Errol Thompson, Jacqueline L Whalley, and Christine Prasad. 2006. Not seeing the forest for the trees: novice programmers and the SOLO taxonomy. ACM SIGCSE Bulletin, Vol. 38, 3 (2006), 118--122.
[29]
Salil Maharjan and Amruth Kumar. 2020. Using Edit Distance Trails to Analyze Path Solutions of Parsons Puzzles. In EDM .
[30]
Russell Mosemann and Susan Wiedenbeck. 2001. Navigation and comprehension of programs by novice programmers. In Program Comprehension, 2001. IWPC 2001. Proceedings. 9th International Workshop on. IEEE, 79--88.
[31]
Joint Task Force on Cybersecurity Education. 2018. Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity .Association for Computing Machinery, New York, NY, USA.
[32]
Benjamin Paaßen, Bassam Mokbel, and Barbara Hammer. 2015. A Toolbox for Adaptive Sequence Dissimilarity Measures for Intelligent Tutoring Systems. In Proceedings of the 8th International Conference on Educational Data Mining (EDM 2015) (2015-06), Olga Christina Santos, Jesus Gonzalez Boticario, Cristobal Romero, Mykola Pechenizkiy, Agathe Merceron, Piotr Mitros, Jose Maria Luna, Christian Mihaescu, Pablo Moreno, Arnon Hershkovitz, Sebastian Ventura, and Michel Desmarais (Eds.). International Educational Datamining Society, 632--632.
[33]
Allen Parrish, John Impagliazzo, Rajendra K Raj, Henrique Santos, Muhammad Rizwan Asghar, Audun Jøsang, Teresa Pereira, and Eliana Stavrou. 2018. Global perspectives on cybersecurity education for 2030: a case for a meta-discipline. In Proceedings Companion of the 23rd annual aCM conference on innovation and technology in computer science education. 36--54.
[34]
David N Perkins, Chris Hancock, Renee Hobbs, Fay Martin, and Rebecca Simmons. 1986. Conditions of learning in novice programmers. Journal of Educational Computing Research, Vol. 2, 1 (1986), 37--55.
[35]
Jean Piaget. 1971. Biology and knowledge: An essay on the relations between organic regulations and cognitive processes. (1971).
[36]
Chris Piech, Mehran Sahami, Daphne Koller, Steve Cooper, and Paulo Blikstein. 2012. Modeling how students learn to program. In Proceedings of the 43rd ACM technical symposium on Computer Science Education. 153--160.
[37]
Chen Ping, Wang Jinshuang, Yang Lanjuan, and Pan Lin. 2020. SQL Injection Teaching Based on SQLi-labs. In 2020 IEEE 3rd International Conference on Information Systems and Computer Aided Education (ICISCAE). IEEE, 191--195.
[38]
Robert S Rist. 1989. Schema creation in programming. Cognitive Science, Vol. 13, 3 (1989), 389--414.
[39]
Josep Soler, Ferran Prados, Imma Boada, and Jordi Poch. 2006. A Web-based tool for teaching and learning SQL. In International Conference on Information Technology Based Higher Education and Training, ITHET .
[40]
Laszlo Solymar et almbox. 1999. Getting the message: A history of communications .Oxford University Press.
[41]
Valdemar, Jan Vykopal. 2020. What are cybersecurity education papers about? a systematic literature review of sigcse and iticse conferences. In Proceedings of the 51st ACM Technical Symposium on Computer Science Education. 2--8.
[42]
John Sweller. 1988. Cognitive load during problem solving: Effects on learning. Cognitive science, Vol. 12, 2 (1988), 257--285.
[43]
John Sweller and Graham A Cooper. 1985. The use of worked examples as a substitute for problem solving in learning algebra. Cognition and instruction, Vol. 2, 1 (1985), 59--89.
[44]
Toni Taipalus and Piia Perälä. 2019. What to Expect and What to Focus on in SQL Query Teaching. In Proceedings of the 50th ACM Technical Symposium on Computer Science Education. ACM, 198--203.
[45]
Toni Taipalus, Mikko Siponen, and Tero Vartiainen. 2018. Errors and complications in SQL query formulation. ACM Transactions on Computing Education (TOCE), Vol. 18, 3 (2018), 15.
[46]
Cynthia Taylor and Saheel Sakharkar. 2019. '); DROP TABLE textbooks;-- An Argument for SQL Injection Coverage in Database Textbooks. In Proceedings of the 50th ACM technical symposium on computer science education. 191--197.
[47]
Arto Vihavainen, Juha Helminen, and Petri Ihantola. 2014. How novices tackle their first lines of code in an ide: Analysis of programming session traces. In Proc. of the 14th Koli Calling Int. Conf. on Comp. Ed. Research. ACM, 109--116.
[48]
Leon E Winslow. 1996. Programming pedagogy - a psychological overview. ACM Sigcse Bulletin, Vol. 28, 3 (1996), 17--22.
[49]
Xiaohong Yuan, Imano Williams, Tae Hee Kim, Jinsheng Xu, Huiming Yu, and Jung Hee Kim. 2017. Evaluating hands-on labs for teaching SQL injection: a comparative study. Journal of Computing Sciences in Colleges, Vol. 32, 4 (2017), 33--39.
Index Terms
- Exploring How Students Solve Open-ended Assignments: A Study of SQL Injection Attempts in a Cybersecurity Course
Recommendations
A Learning Platform for SQL Injection
SIGCSE '19: Proceedings of the 50th ACM Technical Symposium on Computer Science EducationWe present a web application system where users can learn about and practice SQL injection attacks. Our system is designed for students in a university level database or computer security class, and is aimed towards students familiar with SQL but with ...
Game-based Learning of SQL Injections
DataEd '22: Proceedings of the 1st International Workshop on Data Systems EducationSQL injections are one of the most widely used techniques to attack data-driven applications. Thus, the potential for cyber-attacks increases consistently. To create awareness of hacker attacks, we demonstrate a web-based educational game. The game ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2022
686 pages
ISBN:9781450392013
DOI:10.1145/3502718
- General Chairs:
- Brett A. Becker,
- Keith Quille,
- Mikko-Jussi Laakso,
- Program Chairs:
- Erik Barendsen,
- Simon
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 July 2022
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ITiCSE 2022
Sponsor:
ITiCSE 2022: Innovation and Technology in Computer Science Education
July 8 - 13, 2022
Dublin, Ireland
Acceptance Rates
Overall Acceptance Rate 552 of 1,613 submissions, 34%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 300Total Downloads
- Downloads (Last 12 months)114
- Downloads (Last 6 weeks)12
Reflects downloads up to 26 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in