King - Security Before Features - SCORM 2.0

	SCORM 2.0	Log In \| Sign Up
	King - Security Before Features

Browse Space

Added by Avron Barr, last edited by Tom King on Aug 15, 2008 (view change) show comment

Home	About LETSI	Events	SCORM 2.0	Contact LETSI
Standing Committees:	Policy & Procedures	Strategic Communications	Technical Roadmap	Membership
Working Groups:	Architecture	Business Requirements	Sequencing	Teaching and Learning Strategies

SCORM Is Insecure: Secure It Before Adding Features

Tom King, Mobilemind

Summary

Security Before Features- The current SCORM Run-Time Environment (RTE) presents many security risks, and must be secured before the model is extended. At least one security exploit currently exists and may be in the wild. Many LETSI white papers propose extending SCORM features and offering additional integration. This should only be done after, or possibly or in conjunction with, securing SCORM.

Requirements/Needs Outlined

An existing exploit easily, automatically sends arbitrary scores, status values and times to many SCORM systems. It works with the Test Suite, ADL sample content, commercial vendor content, and at least one commercial LMS product. This undermines the value of SCORM for certification and compliance training. Integration with other systems may place other systems and data at risk. That in turn, puts SCORM and systems supporting SCORM in question as integration points.

Recommendations

Focus initial efforts on best practices to reduce exposure with the current model. Begin work on authentication in each type of transaction, and securing the communication methods that are publicly exposed.

Vet extensions and new features with independent security analysts during the design phase. Perform an independent security audit of reference implementations.

Comments (Hide)

Security is always an important issue. I doubt that many in the community will argue with that.

You bring up a great point that we must look at security issues as we move forward with SCORM2, but I think that they should be done concurrently with SCORM2, and not pause the needed innovation that is happening until they can be worked out. This become especially important as some of the webservice proposals get evaluated.

Thanks

Chris Raasch

Posted by Chris Raasch at Aug 27, 2008 16:52

I agree with Tom and Chris: security is important but so is innovation.

Posted by Eric Roberts at Sep 12, 2008 13:32

We agree with this point. Our paper proposes using an "answer key" file supplied with the SCO. This is used by the LMS server to evaluate the students responses and assign a score. The only reason this isn't widely exploited is that SCORM is not widely deployed. Its just a matter of time.

We just need to make cheating as hard as it is on any standardized test. Cheating will always be possible, we just need to make it harder to cheat the API than it is to cheat using traditional methods. Attackers will always favor the weakest point of attack, currently that's the API.

We would be happy to bring exploit code to the event in October. We are confident that this issue affects all LMS vendors because the attack is itself SCORM conformant.

Posted by Gareth Farrington at Sep 02, 2008 15:23

This is an interesting question. My thoughts:

1) This isn't a new problem. Insecurity has been a criticism of SCORM since Day 1, yet it's been widely adopted. That's not an excuse though and as adoption increases, security is more of a concern. I agree that security should be reexamined in SCORM 2.0.

2) "SCORM is not for high stakes assessments"...that's been the party line to the security criticism, is that still valid?

3) While more security is required in some uses of SCORM (for instance the legally required compliance training cited in the paper), it is overkill in other uses. Do we really need a 128-bit encrypted encrypted communication to tell whether or not the learner has mastered the company's new phone system? As Len Murphy says in "SCORM 2.0: Grab the Low Hanging Fruit" - "So although security is important, the level need not be universally set to DEFCON 1." Perhaps we need a "secure mode". This mode could be coupled to a web services extension since securing the current API would be quite difficult if not impossible.

Posted by Mike Rustici at Sep 02, 2008 17:36

I agree that we don't need to go to "DEFCON 1". Even having the stuff encrypted is overkill (besides do you want to be responsible for implementing working crypto on javascript?). Just seperate the target from the attacker and you will have good security, which is all you need.

The idea of using web services to achieve this is interesting.

Posted by Gareth Farrington at Sep 03, 2008 09:52