A Design for a Collaborative Make-the-Flag Exercise
Many people know how to compromise existing systems, and capture-the-flag contests are increasing this number. There is a dearth of people who know how to design and build secure systems. A collaborative contest to build secure systems to meet specific goals—a “make-the-flag” exercise—could encourage more people to participate in cybersecurity exercises, and learn how to design and build secure systems. This paper presents a generic design for such an exercise. It explores the goals, organization, constraints, and rules. It also discusses preparations and how to run the exercise and evaluate the results. Several variations are also presented.
Thanks to Dan Ragsdale of Texas A&M University and Kara Nance of the Virginia Polytechnic Institute and State University for helpful discussions. The author gratefully acknowledges support of the National Science Foundation under Grant Numbers DGE-1303211 and OAC-1739025, and a gift from Intel Corporation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, Intel Corporation or the University of California at Davis.
- 1.The cLEMCy architecture, July 2017. https://blog.legitbs.net/2017/07/the-clemency-architecture.html
- 2.Adams, W.J., Gavas, E., Lacey, T., Leblanc, S.: Collective views of the NSA/CSS cyber defense exercise on curricula and learning objectives. In: Proceedings of the Second Workshop on Cyber Security Experimentation and Test. USENIX Association, Berkeley, August 2009. https://www.usenix.org/legacy/event/cset09/tech/full_papers/adams.pdf
- 3.Anderson, R.: Why information security is hard–an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference. IEEE Computer Society, Los Alamitos, December 2001. https://doi.org/10.1109/ACSAC.2001.991552
- 5.Conklin, A.: The use of a collegiate cyber defense competition in information security education. In: Proceedings of the Second Annual Conference on Information Security Curriculum Development, pp. 16–18. ACM, New York, September 2005. https://doi.org/10.1145/1107622.1107627
- 6.Cowan, C., Arnold, S., Beattie, S., Wright, C., Viega, J.: DefCon capture the flag: defending vulnerable code from intense attack. In: Proceedings of the 2003 DARPA Information Survivability Conference and Exposition. IEEE Computer Society, Los Alamitos, April 2003. https://doi.org/10.1109/DISCEX.2003.1194878
- 8.Leban, B., Bendre, M., Tabriz, P.: Web application exploits and defenses (2017). https://google-gruyere.appspot.com/
- 9.Linde, R.R.: Operating system penetration. In: Proceedings of the AFIPS 1975 National Computer Conference, pp. 361–268. ACM, New York, May 1975. https://doi.org/10.1145/1499949.1500018
- 12.Pusey, P., OBrien, C.W., Lightner, L.: Preparing for the collegiate cyber defense competition (CCDC): a guide for new teams and recommendations for experienced players. National Cyberwatch Center, Largo, January 2015. https://www.nationalcyberwatch.org/resource/resource-guide-preparing-for-the-collegiate-cyber-defense-competition-ccdc-a-guide-for-new-teams-and-recommendations-for-experienced-players-2/
- 14.Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., Shoshitaishvili, Y.: Ten years of iCTF: the good, the bad, and the ugly. In: Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education. USENIX Association, Berkeley, August 2014. https://www.usenix.org/conference/3gse14/summit-program/presentation/vigna
- 15.Werther, J., Zhivich, M., Leek, T., Zeldovich, N.: Experiences in cyber security education: the MIT Lincoln laboratory capture-the-flag exercise. In: Proceedings of the Fourth Workshop on Cyber Security Experimentation and Test. USENIX Association, Berkeley, August 2011. http://static.usenix.org/legacy/events/cset11/tech/final_files/Werther.pdf