Virtualization Methods for Securing Online Exam

Virtualization Methods for Securing Online Exam

The advancement of technology brings various changes to numerous fields, including education. Online exam usages are increasing, since it brings several benefits, including the possibility of automated grading. However, online exam also brings new possibilities for a cheating exam taker to access forbidden resources. Both manual and computer aided mechanisms to prevent cheating are needed. After conducting preliminary research on cheating in online exams and its detection and prevention, in this research, we present virtualization methods for securing online exams from cheating attempts in an exam client in real time. We analyzed and compared two virtualization methods, which are hardware level virtualization and operating system level virtualization, for implementing secure exam sandboxes. Based on our experiments, hardware level virtualization is the optimal method. The result of this research is a set of tools that can be used to enhance the existing proctoring methods used for securing online exam. The benefits of our proposed system are a better process isolation and low bandwidth usage.

The advent of Web technologies introduces a new dimension in examinations. Exams that were once held using pen and paper are now done with the help of the computer and the internet. On one side, this enables exam to be conducted remotely. Exam takers may not be required to come to a designated place to take an exam. On the other side, however, this also introduces new ways of cheating. An examinee may ask another person to impersonate him/her for the exam, or use the Internet to access resources for answers. Relevant control procedures are required to verify the integrity of the online exam. We have analyzed the features/capabilities, phases of the exam, and securing online exam from fraud/cheating attempts, as part of our previous research [1]. A secure online exam, which puts a student/exam taker in a restricted environment to prevent cheating, is necessary for protecting the integrity of the exam. Our programming classes at School of Electrical Engineering and Informatics, Institut Teknologi Bandung (SEEI ITB) conducts online exam using an auto-grading system. The online exam is conducted in a managed environment [2], conducted in a local environment. To take an exam, the examinees are required to present themselves in his/her designated room. Before entering the examination room, examinees are required to show valid proof of identification to the proctors. Each room is equipped with computers, which are sanitized before the exam. These computers are only installed with exam-related software, checked and cleaned regularly for files that may be used for seeking answers, can only access allowed directories, and have their network configured so that they can only access the exam website and cannot communicate with each other. These mechanisms are enforced and effective in detecting and preventing cheating. However, these methods cannot be applied on online exams in which the students are using their computers. For a large class of 400 students, the online exam cannot be conducted in a single shift, due to an inadequate number of available computers. On the other hand, it is not possible to sanitize the students’ own devices for the exam. Therefore, during the exam, each student should only be allowed to access a virtual machine that functions as a sanitized computer. Web-based software used for conducting exams can be configured such that examinees can take the exam remotely. Through a web browser, examinees can access the web browser via self-provided computers/devices, which acts as the exam client. To prevent cheating, examiners may inquire third­party remote proctoring services for aid, in form of applications such as ProctorU [3] and RPNow [4]. These apps enable remote administration of the exam clients. For example, the app can limit the process runing on the device, or monitor inputs from the device. This exam environment can be defmed as a managed environment [1], conducted remotely. Besides remote proctoring, other methods for securing online exam has been researched and implemented, such as shell sandbox [5] and group cryptography [6]. However, these methods do not offer a fine level of isolation. The use of virtualization enables the possibility of conducting the exam with a fmer level of control. Virtualization is one of the possible methods to achieve a particular level of control to the underlying resources of a system. In the operating system, a virtual machine, a software layer that applies virtualization concept, enables a user to control access to resources of an operating system, such as file system and networking. In an exam environment, this gives proctors/administrators control over the exam clients, which can be used to enhance the security of the exam. Therefore, it may be possible to achieve the same level of control of a managed, local exam environment, in a managed, remote exam environment. Even though the idea of conducting online exam remotely is not relatively new [3, 4, 8], most of the current implementation requires an exam environment equipped with a high-bandwidth network. Such feature is not available in our current condition, in which the throughput of our local network is not adequate for deployment of applications that require high-bandwidth, i.e., virtual desktop infrastructure (VDI). Besides VDI, there exist virtualization solutions that can be deployed offline [9]. A possibility of using virtualization for low-bandwidth online exam exists. Finally, through virtualization, one can emulate a computer with a similar user interface, which eases training and usage. The rest of this paper is organized as the following. Problem statement and our proposed solution are presented in Section 2. Section 3 of this paper gives some relevant works in the domain. In section 4, we present the virtualization methods explored and implemented. Section 5 presents some testing results done using the methods described in Section 4. We conclude this paper by discussion and conclusion. II. PROBLEM STATEMENT AND PROPOSED SOLUTION In our managed exam environment, means of control over an exam client’s operating system are achieved through conducting the exam on a local network. Specifically, the examiner/exam committee provides a room, equipped with sanitized computers/devices, to be used in an online exam. Such method cannot be used when conducting an online exam remotely, in which the number of available computers is not enough to serve the exam takers. In this situation, the exam then would be either held in shifts, or the exam takers would be allowed to use their computers/devices. Both of these options allow opportunities for cheating, either by giving out exam questions to exam takers taking the exam in later shifts or by access to forbidden resources during the exam. In this research, we explored and implemented virtualization methods that can be used by examiners/administrators to control an exam client remotely. Specifically, the platform that we’re using for this research is Windows, since most of the students in ITB use it on their laptops. Furthermore, we limit the security to only cover the device being used as the exam client, especially during the exam [1].

This paper has presented two methods of virtualization, which is used for securing online exam clients. Based on our experiment, it can be concluded that hardware level virtualization is a better solution for securing online exam client than OS-level virtualization. The advantages include a better level of isolation and ease of implementation. In order to implement a proper OS-level virtualization solution, further research on the behavior of OS system calls is necessary. This research only covers system calls related to file system access. Other system calls is beyond the scope of this research. A proper OS-level virtualization solution would need to implement hooks to these other system calls. In addition, development of OS-level virtualization solutions, especially on Windows, is an interesting topic for research. One possible topic that can be explored is how to develop a toolkit for creating a lightweight sandbox, that can be applied to any binary runtimes. A particular interesting subject would be a toolkit for doing automated testing of hooks, that can be used to test the correctness of hooks that modifies an application from a set of test scenarios.