6. Security competitions (CTFs) - what this talk is about
Information security-oriented “game”
Try to break into (toy) applications “for fun”
… get flags: flag{this_is_a_flag}
6
10. Which skills?
reverse engineering
binary exploitation
web application security
cryptography
forensics
… and others
Good teams
generally have
strong skills and
experience in all
these areas
10
11. Is this just academic?
â—Ź Stripe CTF https://github.com/stripe-ctf
â—‹ CTF 2.0 (2012): web oriented
â—‹ CTF 3: same concept, applied to distributed systems
â—Ź Google
â—‹ CTF https://capturetheflag.withgoogle.com/
â—Ź Facebook
â—‹ Open CTF platform http://github.com/facebook/fbctf
â—Ź many others (internal or external)
11
12. What we do (as a team && as a research group)
We play CTFs
We “hack” together
We organize CTFs
12
Tower of Hanoi
13. Some history
â—Ź UCSB iCTF, back in 2004.
â—Ź ToH won the iCTF edition of 2004 and 2005.
â—Ź Playing iCTF every year since then.
â—Ź Since 2010, several other CTFs: DEFCON
Quals, CSAW, Plaid CTF, RuCTFe, codegate, …
13
14. Playing CTFs
â—Ź Team Organization
â—‹ Tasks / specialization
â—‹ Tools
â—Ź Strategy (before being awake for 48h)
○ “observe” other teams
○ “play” the organizers
14
16. PoliCTF 2015 in numbers
â—Ź 48 hours no stop
â—Ź > 1k registered teams
â—Ź 388 participating teams
â—‹ solved at least one challenge
â—Ź 25 challenges
â—Ź 500$ infrastructure
16
19. â—Ź No guessing
â—‹ we all know how to use dirbuster
â—Ź No bruteforcing
○ challenge people’s brains, not Intel’s CPUs
â—Ź No standard challenges
â—‹ google can solve them for you
â—‹ CTF != pentest
â—Ź A flag is a flag is a flag
Good challenge = fun
19
20. â—Ź Newbies & experts
â—Ź Different skills
â—‹ Forensics, crypto nerds, networking experts, reverse
engineers, …
○ Unusual topics / language / … are ok
Good challenge = fun for the whole team
20
21. ● Don’t rely on an obscure bug of openssl 2.0.54b you can
find on an obscure bug tracker you can find only by
chance because the subject is completely wrong…
○ unless testing people’s google fu (recon)
â—Ź Beware of multi-step challenges
Good challenge != impossible challenge
21
22. Idea → challenge (what works for us)
1. Call for challenge
2. Challenge submission
3. Challenge peer-review (without knowing the solutions)
â—‹ Test, test, test
â—‹ Get feedback (and spot loads of bugs)
○ Assign points (alternative: “dynamic” challenge rating)
4. Select, fix & deploy
22
25. Monitoring
Know if a challenge is down
before people starts complaining
Icinga + scripts trying to actually
solve the challenge (+ ELK for logs)
25
27. What didn’t work
â—Ź Crypto
â—‹ guessing
â—Ź Challenges with more than a unique solution
○ pretty simple “flag based” verifier → didn’t work out → support
effort, bad player experience
â—Ź Bad hardening
â—‹ screwed up (badly) the permissions in an NFS share with the
.pcap of all the traffic…
â—‹ A team reported this to us!
27
30. NECSTLab Research in System Security | some examples
30
â—Ź Malware Analysis
â—‹ A. Continella et al., ShieldFS: a self-healing, ransomware-aware
filesystem - ACSAC 2016 & BlackHat 2017
â—‹ M. Polino et al., Jackdaw: Towards automatic reverse
engineering of large datasets of binaries - DIMVA 2015
â—Ź Cyber-Physical System Security
â—‹ D. Quarta et al., An Experimental Security Analysis of an
Industrial Robot Controller - S&P 2017 & BlackHat 2017
31. NECSTLab Research in System Security | some examples
31
â—Ź Fraud Detection
â—‹ M. Carminati et al., BankSealer: an online banking fraud analysis
and decision support system - IFIP 2014
â—Ź Mobile Security
â—‹ C. Zheng et al., On-chip system call tracing: A feasibility study
and open prototype - CNS 2016
â—‹ N. Andronio et al., HelDroid: Dissecting and detecting mobile
ransomware - RAID 2015 and BlackHat EU 2016
â—‹ L. Falsina et al., Grab'n Run: Secure and Practical Dynamic Code
Loading for Android Applications - ACSAC 2015