SlideShare a Scribd company logo

earning by s/doing/h4ck1ng/ - Our experience learning application security through hacking competitions

•
•
NECST Lab @ Politecnico di Milano
NECST Lab @ Politecnico di Milano

NGC17 Talk @ Pinterest - June 5, 2017

Engineering
1 of 32
Download to read offline
Learning by s/doing/h4ck1ng/ Our experience learning application security through hacking competitions Marcello Pogliani NECSTLab @ Pinterest San Francisco, 5 June 2017
2
3
4
Write secure code Think like an attacker 5
Security competitions (CTFs) - what this talk is about Information security-oriented “game” Try to break into (toy) applications “for fun” … get flags: flag{this_is_a_flag} 6
Why? Fun (above all) Skillz (and motivation) Awareness Creds 7
How? 8 Online or live
How? Jeopardy Attack-Defense 9
Which skills? reverse engineering binary exploitation web application security cryptography forensics … and others Good teams generally have strong skills and experience in all these areas 10
Is this just academic? â—Ź Stripe CTF https://github.com/stripe-ctf â—‹ CTF 2.0 (2012): web oriented â—‹ CTF 3: same concept, applied to distributed systems â—Ź Google â—‹ CTF https://capturetheflag.withgoogle.com/ â—Ź Facebook â—‹ Open CTF platform http://github.com/facebook/fbctf â—Ź many others (internal or external) 11
What we do (as a team && as a research group) We play CTFs We “hack” together We organize CTFs 12 Tower of Hanoi
Some history ● UCSB iCTF, back in 2004. ● ToH won the iCTF edition of 2004 and 2005. ● Playing iCTF every year since then. ● Since 2010, several other CTFs: DEFCON Quals, CSAW, Plaid CTF, RuCTFe, codegate, … 13
Playing CTFs ● Team Organization ○ Tasks / specialization ○ Tools ● Strategy (before being awake for 48h) ○ “observe” other teams ○ “play” the organizers 14
15 PoliCTF 2015 WIP: PoliCTF 2017 7 - 9 July 2017
PoliCTF 2015 in numbers â—Ź 48 hours no stop â—Ź > 1k registered teams â—Ź 388 participating teams â—‹ solved at least one challenge â—Ź 25 challenges â—Ź 500$ infrastructure 16
Easy? Designing effective challenges Have a solid infrastructure lasts 48 hours and (mostly) can’t be reused 17
Design effective challenges
● No guessing ○ we all know how to use dirbuster ● No bruteforcing ○ challenge people’s brains, not Intel’s CPUs ● No standard challenges ○ google can solve them for you ○ CTF != pentest ● A flag is a flag is a flag Good challenge = fun 19
● Newbies & experts ● Different skills ○ Forensics, crypto nerds, networking experts, reverse engineers, … ○ Unusual topics / language / … are ok Good challenge = fun for the whole team 20
● Don’t rely on an obscure bug of openssl 2.0.54b you can find on an obscure bug tracker you can find only by chance because the subject is completely wrong… ○ unless testing people’s google fu (recon) ● Beware of multi-step challenges Good challenge != impossible challenge 21
Idea → challenge (what works for us) 1. Call for challenge 2. Challenge submission 3. Challenge peer-review (without knowing the solutions) ○ Test, test, test ○ Get feedback (and spot loads of bugs) ○ Assign points (alternative: “dynamic” challenge rating) 4. Select, fix & deploy 22
Have a solid infrastructure
Infrastructure Amazon AWS DNS, Storage, Hardened EC2 VMs, Load Balancers, Security groups. 1 challenge = N VMs (w/scaling) 24
Monitoring Know if a challenge is down before people starts complaining Icinga + scripts trying to actually solve the challenge (+ ELK for logs) 25
26
What didn’t work ● Crypto ○ guessing ● Challenges with more than a unique solution ○ pretty simple “flag based” verifier → didn’t work out → support effort, bad player experience ● Bad hardening ○ screwed up (badly) the permissions in an NFS share with the .pcap of all the traffic… ○ A team reported this to us! 27
References â—Ź https://github.com/pwning/docs/blob/master/suggestions -for-running-a-ctf.markdown â—Ź http://captf.com/maxims.html â—Ź https://ictf.cs.ucsb.edu/pages/docs.html 28
marcello.pogliani@polimi.it http://toh.necst.it http://www.polictf.it @towerofhanoi 29
NECSTLab Research in System Security | some examples 30 â—Ź Malware Analysis â—‹ A. Continella et al., ShieldFS: a self-healing, ransomware-aware filesystem - ACSAC 2016 & BlackHat 2017 â—‹ M. Polino et al., Jackdaw: Towards automatic reverse engineering of large datasets of binaries - DIMVA 2015 â—Ź Cyber-Physical System Security â—‹ D. Quarta et al., An Experimental Security Analysis of an Industrial Robot Controller - S&P 2017 & BlackHat 2017
NECSTLab Research in System Security | some examples 31 â—Ź Fraud Detection â—‹ M. Carminati et al., BankSealer: an online banking fraud analysis and decision support system - IFIP 2014 â—Ź Mobile Security â—‹ C. Zheng et al., On-chip system call tracing: A feasibility study and open prototype - CNS 2016 â—‹ N. Andronio et al., HelDroid: Dissecting and detecting mobile ransomware - RAID 2015 and BlackHat EU 2016 â—‹ L. Falsina et al., Grab'n Run: Secure and Practical Dynamic Code Loading for Android Applications - ACSAC 2015
marcello.pogliani@polimi.it http://toh.necst.it http://www.polictf.it @towerofhanoi 32

Recommended

Dc python programming day 1
Dc python programming day 1Dc python programming day 1
Dc python programming day 1Chitrank Dixit
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Common mistakes by beginners in Programming
Common mistakes by beginners in ProgrammingCommon mistakes by beginners in Programming
Common mistakes by beginners in ProgrammingDejan Toteff
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...Anthony Lai
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 

Recommended

Dc python programming day 1
Dc python programming day 1Dc python programming day 1
Dc python programming day 1Chitrank Dixit
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Common mistakes by beginners in Programming
Common mistakes by beginners in ProgrammingCommon mistakes by beginners in Programming
Common mistakes by beginners in ProgrammingDejan Toteff
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...Anthony Lai
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
 
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15MLconf
 
10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConfXavier Amatriain
 
10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systemsXavier Amatriain
 
KaoNet: Face Recognition and Generation App using Deep Learning
KaoNet: Face Recognition and Generation App using Deep LearningKaoNet: Face Recognition and Generation App using Deep Learning
KaoNet: Face Recognition and Generation App using Deep LearningVan Huy
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Sacrificing the golden calf of "coding"
Sacrificing the golden calf of "coding"Sacrificing the golden calf of "coding"
Sacrificing the golden calf of "coding"Christian Heilmann
 
What is Python? An overview of Python for science.
What is Python? An overview of Python for science.What is Python? An overview of Python for science.
What is Python? An overview of Python for science.Nicholas Pringle
 
The Role of Evolutionary Computation in Game AI
The Role of Evolutionary Computation in Game AIThe Role of Evolutionary Computation in Game AI
The Role of Evolutionary Computation in Game AIMike Preuss
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Hal Speed
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Life in CSE.pptx
Life in CSE.pptxLife in CSE.pptx
Life in CSE.pptxVedVekhande
 
Machine Learning with Python
Machine Learning with Python Machine Learning with Python
Machine Learning with Python GLC Networks
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine LearningTarek Hoteit
 
Machine Learning with Python
Machine Learning with PythonMachine Learning with Python
Machine Learning with PythonGLC Networks
 
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Demi Ben-Ari
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Raising the Bar
Raising the BarRaising the Bar
Raising the BarAlexandru Bolboaca
 
Mesticheria Team - WiiReflex
Mesticheria Team - WiiReflexMesticheria Team - WiiReflex
Mesticheria Team - WiiReflexNECST Lab @ Politecnico di Milano
 
Punto e virgola Team - Stressometro
Punto e virgola Team - StressometroPunto e virgola Team - Stressometro
Punto e virgola Team - StressometroNECST Lab @ Politecnico di Milano
 

More Related Content

Similar to earning by s/doing/h4ck1ng/ - Our experience learning application security through hacking competitions

Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
 
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15MLconf
 
10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConfXavier Amatriain
 
10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systemsXavier Amatriain
 
KaoNet: Face Recognition and Generation App using Deep Learning
KaoNet: Face Recognition and Generation App using Deep LearningKaoNet: Face Recognition and Generation App using Deep Learning
KaoNet: Face Recognition and Generation App using Deep LearningVan Huy
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Sacrificing the golden calf of "coding"
Sacrificing the golden calf of "coding"Sacrificing the golden calf of "coding"
Sacrificing the golden calf of "coding"Christian Heilmann
 
What is Python? An overview of Python for science.
What is Python? An overview of Python for science.What is Python? An overview of Python for science.
What is Python? An overview of Python for science.Nicholas Pringle
 
The Role of Evolutionary Computation in Game AI
The Role of Evolutionary Computation in Game AIThe Role of Evolutionary Computation in Game AI
The Role of Evolutionary Computation in Game AIMike Preuss
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Hal Speed
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Life in CSE.pptx
Life in CSE.pptxLife in CSE.pptx
Life in CSE.pptxVedVekhande
 
Machine Learning with Python
Machine Learning with Python Machine Learning with Python
Machine Learning with Python GLC Networks
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine LearningTarek Hoteit
 
Machine Learning with Python
Machine Learning with PythonMachine Learning with Python
Machine Learning with PythonGLC Networks
 
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Demi Ben-Ari
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 

Similar to earning by s/doing/h4ck1ng/ - Our experience learning application security through hacking competitions (20)

Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"
 
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
 
10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf
 
10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems
 
KaoNet: Face Recognition and Generation App using Deep Learning
KaoNet: Face Recognition and Generation App using Deep LearningKaoNet: Face Recognition and Generation App using Deep Learning
KaoNet: Face Recognition and Generation App using Deep Learning
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
Sacrificing the golden calf of "coding"
Sacrificing the golden calf of "coding"Sacrificing the golden calf of "coding"
Sacrificing the golden calf of "coding"
 
What is Python? An overview of Python for science.
What is Python? An overview of Python for science.What is Python? An overview of Python for science.
What is Python? An overview of Python for science.
 
The Role of Evolutionary Computation in Game AI
The Role of Evolutionary Computation in Game AIThe Role of Evolutionary Computation in Game AI
The Role of Evolutionary Computation in Game AI
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Life in CSE.pptx
Life in CSE.pptxLife in CSE.pptx
Life in CSE.pptx
 
Machine Learning with Python
Machine Learning with Python Machine Learning with Python
Machine Learning with Python
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine Learning
 
Machine Learning with Python
Machine Learning with PythonMachine Learning with Python
Machine Learning with Python
 
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
Raising the Bar
Raising the BarRaising the Bar
Raising the Bar
 

More from NECST Lab @ Politecnico di Milano

Embedding based knowledge graph link prediction for drug repurposing
Embedding based knowledge graph link prediction for drug repurposingEmbedding based knowledge graph link prediction for drug repurposing
Embedding based knowledge graph link prediction for drug repurposingNECST Lab @ Politecnico di Milano
 
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...NECST Lab @ Politecnico di Milano
 
EMPhASIS - An EMbedded Public Attention Stress Identification System
EMPhASIS - An EMbedded Public Attention Stress Identification System EMPhASIS - An EMbedded Public Attention Stress Identification System
EMPhASIS - An EMbedded Public Attention Stress Identification SystemNECST Lab @ Politecnico di Milano
 
Luns - Automatic lungs segmentation through neural network
Luns - Automatic lungs segmentation through neural networkLuns - Automatic lungs segmentation through neural network
Luns - Automatic lungs segmentation through neural networkNECST Lab @ Politecnico di Milano
 
Maeve - Fast genome analysis leveraging exact string matching
Maeve - Fast genome analysis leveraging exact string matchingMaeve - Fast genome analysis leveraging exact string matching
Maeve - Fast genome analysis leveraging exact string matchingNECST Lab @ Politecnico di Milano
 

More from NECST Lab @ Politecnico di Milano (20)

Mesticheria Team - WiiReflex
Mesticheria Team - WiiReflexMesticheria Team - WiiReflex
Mesticheria Team - WiiReflex
 
Punto e virgola Team - Stressometro
Punto e virgola Team - StressometroPunto e virgola Team - Stressometro
Punto e virgola Team - Stressometro
 
BitIt Team - Stay.straight
BitIt Team - Stay.straight BitIt Team - Stay.straight
BitIt Team - Stay.straight
 
BabYodini Team - Talking Gloves
BabYodini Team - Talking GlovesBabYodini Team - Talking Gloves
BabYodini Team - Talking Gloves
 
printf("Nome Squadra"); Team - NeoTon
printf("Nome Squadra"); Team - NeoTonprintf("Nome Squadra"); Team - NeoTon
printf("Nome Squadra"); Team - NeoTon
 
BlackBoard Team - Motion Tracking Platform
BlackBoard Team - Motion Tracking PlatformBlackBoard Team - Motion Tracking Platform
BlackBoard Team - Motion Tracking Platform
 
#include<brain.h> Team - HomeBeatHome
#include<brain.h> Team - HomeBeatHome#include<brain.h> Team - HomeBeatHome
#include<brain.h> Team - HomeBeatHome
 
Flipflops Team - Wave U
Flipflops Team - Wave UFlipflops Team - Wave U
Flipflops Team - Wave U
 
Bug(atta) Team - Little Brother
Bug(atta) Team - Little BrotherBug(atta) Team - Little Brother
Bug(atta) Team - Little Brother
 
#NECSTCamp: come partecipare
#NECSTCamp: come partecipare#NECSTCamp: come partecipare
#NECSTCamp: come partecipare
 
NECSTCamp101@2020.10.1
NECSTCamp101@2020.10.1NECSTCamp101@2020.10.1
NECSTCamp101@2020.10.1
 
NECSTLab101 2020.2021
NECSTLab101 2020.2021NECSTLab101 2020.2021
NECSTLab101 2020.2021
 
TreeHouse, nourish your community
TreeHouse, nourish your communityTreeHouse, nourish your community
TreeHouse, nourish your community
 
TiReX: Tiled Regular eXpressionsmatching architecture
TiReX: Tiled Regular eXpressionsmatching architectureTiReX: Tiled Regular eXpressionsmatching architecture
TiReX: Tiled Regular eXpressionsmatching architecture
 
Embedding based knowledge graph link prediction for drug repurposing
Embedding based knowledge graph link prediction for drug repurposingEmbedding based knowledge graph link prediction for drug repurposing
Embedding based knowledge graph link prediction for drug repurposing
 
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
 
EMPhASIS - An EMbedded Public Attention Stress Identification System
EMPhASIS - An EMbedded Public Attention Stress Identification System EMPhASIS - An EMbedded Public Attention Stress Identification System
EMPhASIS - An EMbedded Public Attention Stress Identification System
 
Luns - Automatic lungs segmentation through neural network
Luns - Automatic lungs segmentation through neural networkLuns - Automatic lungs segmentation through neural network
Luns - Automatic lungs segmentation through neural network
 
BlastFunction: How to combine Serverless and FPGAs
BlastFunction: How to combine Serverless and FPGAsBlastFunction: How to combine Serverless and FPGAs
BlastFunction: How to combine Serverless and FPGAs
 
Maeve - Fast genome analysis leveraging exact string matching
Maeve - Fast genome analysis leveraging exact string matchingMaeve - Fast genome analysis leveraging exact string matching
Maeve - Fast genome analysis leveraging exact string matching
 

Recently uploaded

Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoĂŁo Esperancinha
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 

Recently uploaded (20)

Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 

earning by s/doing/h4ck1ng/ - Our experience learning application security through hacking competitions

  • 1. Learning by s/doing/h4ck1ng/ Our experience learning application security through hacking competitions Marcello Pogliani NECSTLab @ Pinterest San Francisco, 5 June 2017
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. Write secure code Think like an attacker 5
  • 6. Security competitions (CTFs) - what this talk is about Information security-oriented “game” Try to break into (toy) applications “for fun” … get flags: flag{this_is_a_flag} 6
  • 7. Why? Fun (above all) Skillz (and motivation) Awareness Creds 7
  • 10. Which skills? reverse engineering binary exploitation web application security cryptography forensics … and others Good teams generally have strong skills and experience in all these areas 10
  • 11. Is this just academic? â—Ź Stripe CTF https://github.com/stripe-ctf â—‹ CTF 2.0 (2012): web oriented â—‹ CTF 3: same concept, applied to distributed systems â—Ź Google â—‹ CTF https://capturetheflag.withgoogle.com/ â—Ź Facebook â—‹ Open CTF platform http://github.com/facebook/fbctf â—Ź many others (internal or external) 11
  • 12. What we do (as a team && as a research group) We play CTFs We “hack” together We organize CTFs 12 Tower of Hanoi
  • 13. Some history â—Ź UCSB iCTF, back in 2004. â—Ź ToH won the iCTF edition of 2004 and 2005. â—Ź Playing iCTF every year since then. â—Ź Since 2010, several other CTFs: DEFCON Quals, CSAW, Plaid CTF, RuCTFe, codegate, … 13
  • 14. Playing CTFs â—Ź Team Organization â—‹ Tasks / specialization â—‹ Tools â—Ź Strategy (before being awake for 48h) â—‹ “observe” other teams â—‹ “play” the organizers 14
  • 15. 15 PoliCTF 2015 WIP: PoliCTF 2017 7 - 9 July 2017
  • 16. PoliCTF 2015 in numbers â—Ź 48 hours no stop â—Ź > 1k registered teams â—Ź 388 participating teams â—‹ solved at least one challenge â—Ź 25 challenges â—Ź 500$ infrastructure 16
  • 17. Easy? Designing effective challenges Have a solid infrastructure lasts 48 hours and (mostly) can’t be reused 17
  • 19. â—Ź No guessing â—‹ we all know how to use dirbuster â—Ź No bruteforcing â—‹ challenge people’s brains, not Intel’s CPUs â—Ź No standard challenges â—‹ google can solve them for you â—‹ CTF != pentest â—Ź A flag is a flag is a flag Good challenge = fun 19
  • 20. â—Ź Newbies & experts â—Ź Different skills â—‹ Forensics, crypto nerds, networking experts, reverse engineers, … â—‹ Unusual topics / language / … are ok Good challenge = fun for the whole team 20
  • 21. â—Ź Don’t rely on an obscure bug of openssl 2.0.54b you can find on an obscure bug tracker you can find only by chance because the subject is completely wrong… â—‹ unless testing people’s google fu (recon) â—Ź Beware of multi-step challenges Good challenge != impossible challenge 21
  • 22. Idea → challenge (what works for us) 1. Call for challenge 2. Challenge submission 3. Challenge peer-review (without knowing the solutions) â—‹ Test, test, test â—‹ Get feedback (and spot loads of bugs) â—‹ Assign points (alternative: “dynamic” challenge rating) 4. Select, fix & deploy 22
  • 23. Have a solid infrastructure
  • 24. Infrastructure Amazon AWS DNS, Storage, Hardened EC2 VMs, Load Balancers, Security groups. 1 challenge = N VMs (w/scaling) 24
  • 25. Monitoring Know if a challenge is down before people starts complaining Icinga + scripts trying to actually solve the challenge (+ ELK for logs) 25
  • 26. 26
  • 27. What didn’t work â—Ź Crypto â—‹ guessing â—Ź Challenges with more than a unique solution â—‹ pretty simple “flag based” verifier → didn’t work out → support effort, bad player experience â—Ź Bad hardening â—‹ screwed up (badly) the permissions in an NFS share with the .pcap of all the traffic… â—‹ A team reported this to us! 27
  • 30. NECSTLab Research in System Security | some examples 30 â—Ź Malware Analysis â—‹ A. Continella et al., ShieldFS: a self-healing, ransomware-aware filesystem - ACSAC 2016 & BlackHat 2017 â—‹ M. Polino et al., Jackdaw: Towards automatic reverse engineering of large datasets of binaries - DIMVA 2015 â—Ź Cyber-Physical System Security â—‹ D. Quarta et al., An Experimental Security Analysis of an Industrial Robot Controller - S&P 2017 & BlackHat 2017
  • 31. NECSTLab Research in System Security | some examples 31 â—Ź Fraud Detection â—‹ M. Carminati et al., BankSealer: an online banking fraud analysis and decision support system - IFIP 2014 â—Ź Mobile Security â—‹ C. Zheng et al., On-chip system call tracing: A feasibility study and open prototype - CNS 2016 â—‹ N. Andronio et al., HelDroid: Dissecting and detecting mobile ransomware - RAID 2015 and BlackHat EU 2016 â—‹ L. Falsina et al., Grab'n Run: Secure and Practical Dynamic Code Loading for Android Applications - ACSAC 2015