Introduction of CTF and CGC
•Download as PPTX, PDF•
1 like•2,369 views
This document provides an introduction to hacking competitions called Capture the Flag (CTF) events and the related Cyber Grand Challenge (CGC). It discusses the different types and styles of CTF competitions, including jeopardy and attack-defense styles. It also outlines the problem categories in CTF like reverse engineering, pwnable, cryptography, forensics and web. The document notes the benefits of participating in CTFs and the culture around CTF events. It provides an overview of the CGC, which involves automated systems defending and attacking each other. An example of an automated patching system from the CGC is also summarized.
More Related Content
What's hot
What's hot (20)
Similar to Introduction of CTF and CGC
Similar to Introduction of CTF and CGC (20)
More from Kir Chou
More from Kir Chou (20)
Recently uploaded
Recently uploaded (20)
Introduction of CTF and CGC
- 1. Introduction to Hacking Competitions CTF & CGC Kir Chou @ Meetup Coffee with Science 1 2017 Nov
- 2. About me Kir Chou Taiwanese SDE (Pythonista) @ Tokyo 2 note35 kir.choukirchou
- 3. Outline i. What is CTF ii. Problem categories iii. Benefit from CTF iv. Culture of CTF v. What is CGC vi. CRS example 3
- 4. What is CTF Capture the flag 4
- 5. What is CTF • CTF a.k.a Capture the Flag • A Computer security competition – CTF Time • For educational exercise and reward • Require several skills 5
- 6. Styles of CTF • Jeopardy (Common) - ジアパディー • Multiple categories of problems • Earn the most points in the time frame 6
- 7. Styles of CTF • Attack-Defense (Advance) • Given a machine (or a small network) to defend on an isolated network • Famous Competition: DEFCON | CSAW • Game Record in DEFCON 2014 [Src] 7
- 8. DEFCON – Hacker World Cup • History • Found in 1992 / CTF started from 1996 • @Las Vegas in August • How to enter? • Champion in seed CTF (Hitcon, Seccon…etc) • Top10 @ DEFCON Quals in May 8
- 9. HITCON • Found in 2005 • 2017 DEFCON 2nd • 2016 DEFCON 4th • 2014 DEFCON 2nd • Top 1 @ CTFTime Oct. 2017 • Why the name is 217? 9
- 11. Reverse 11 Download Find Key Earn Points Stereotype of typical hacker Some problems are relied on experience Some problems are like pwnable problem Recommend any background 0~ year [example]
- 12. Pwnable 12 Download Some problems don’t give you any file Find exploitable vulnerability Earn PointsConnect to server Use exploitable vulnerability to get shell Hard to get started once you learned, it’s fun but need talent Recommend CS background ~1 year [example]
- 13. Crypto 13 Very hard to learn Crypto are usually hard without background Recommend Math/CS background 4~ years Various Source Web, File, String. Hardware… Apply Math (Modern Cryptography) Earn Points [example]
- 14. Forensics 14 File Apply Analysis, Simulation… Earn Points Some problems are rely on experience Most of problem need to learn tools Recommend Any background 0~ year [example]
- 15. Web 15 I have no idea how to explain this Recommend for web geeek ∞ year [example]
- 16. Misc 16 No one need to learn how to play puzzle…right? Recommend any background 0 year Various Source Web, File, String. Hardware… Play with puzzle Earn Points Don't be addicted to this this won’t help you become strong [example][Maze]
- 17. Benefit from CTF • Digging knowledges • Be bullied & Bullying • Earn money 17
- 18. Culture of CTF • Strong is everything 強者至上主義 • Strong teams host famous CONF • Strong teams host famous CTF • Co-work workspace (eg. Trello, Slack) • Write-up after ctf (Blog, SNS) • writing blog about how you solve problem 18
- 20. What is CGC • CGC a.k.a. Cyber Grand Challenge • Found by DARPA since 2014 (every 2 years) • Make a CRS(Cyber Reasoning System) to attack and defense by system itself • Challenge Qualification Event (Standalone) • Challenge Final Event (Attack-defense) 20 Techniques Static Analysis Dynamic Analysis Symbolic Execution Constraint Solving Data Flow Tracking Fuzz Testing [src][example] Pwnable + Reverse !
- 21. How does CRS work? Finishing all of them automatically 21 Maintain service in the system Find exploit vulnerabilities Fix exploit vulnerabilities Analysis program/process
- 24. Appendix • An auto patching example of CRS 24
- 25. Example Flawed Program 25 void foo(char* str) { strcpy(str, “1234567890”); } int main(void) { char buf[5]; foo(buf); return 0; } [example]
- 28. Patch Flow 28
- 29. Patch Buffer Overflow 1.Decrease the bound to a suitable value strncpy(dst, src, 100) → strncpy(dst, src, 40) 2.Increase the buffer size char buf[40] → char buf[100] 29
Editor's Notes
- http://katc.hateblo.jp/entry/2016/10/10/122013
- https://poning.me/2016/10/29/secret-holder/
- https://193s.github.io/blog/2015/10/19/hitcon-2015-rsabin-writeup/
- http://lockboxx.blogspot.jp/2014/08/hitcon-2014-ctf-writeup-g8la-forensics.html
- http://icheernoom.blogspot.jp/2016/10/hitcon-ctf-2016-web-write-up.html
- https://blog.m157q.tw/posts/2015/10/19/hitcon-ctf-2015-quals-write-up/ https://www.youtube.com/watch?v=uPXhLQjpInU
- https://github.com/CyberGrandChallenge/ https://github.com/CyberGrandChallenge/samples/tree/master/examples/CADET_00001 http://archive.darpa.mil/cybergrandchallenge/ https://www.darpa.mil/program/cyber-grand-challenge
- https://github.com/SQLab/pin/tree/master/0ops_app http://www.thegeekstuff.com/2013/06/buffer-overflow https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/