Skip to main content

A Design for a Collaborative Make-the-Flag Exercise

Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT,volume 531)

Abstract

Many people know how to compromise existing systems, and capture-the-flag contests are increasing this number. There is a dearth of people who know how to design and build secure systems. A collaborative contest to build secure systems to meet specific goals—a “make-the-flag” exercise—could encourage more people to participate in cybersecurity exercises, and learn how to design and build secure systems. This paper presents a generic design for such an exercise. It explores the goals, organization, constraints, and rules. It also discusses preparations and how to run the exercise and evaluate the results. Several variations are also presented.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-99734-6_1
  • Chapter length: 12 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-99734-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Hardcover Book
USD   99.99
Price excludes VAT (USA)

Notes

  1. 1.

    This is from an incident where the author and his students were testing a firewall. The bug was quickly fixed.

  2. 2.

    Thanks to Dan Ragsdale for this suggestion.

References

  1. The cLEMCy architecture, July 2017. https://blog.legitbs.net/2017/07/the-clemency-architecture.html

  2. Adams, W.J., Gavas, E., Lacey, T., Leblanc, S.: Collective views of the NSA/CSS cyber defense exercise on curricula and learning objectives. In: Proceedings of the Second Workshop on Cyber Security Experimentation and Test. USENIX Association, Berkeley, August 2009. https://www.usenix.org/legacy/event/cset09/tech/full_papers/adams.pdf

  3. Anderson, R.: Why information security is hard–an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference. IEEE Computer Society, Los Alamitos, December 2001. https://doi.org/10.1109/ACSAC.2001.991552

  4. Anderson, R., Moore, T.: Information security economics – and beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_5

    CrossRef  Google Scholar 

  5. Conklin, A.: The use of a collegiate cyber defense competition in information security education. In: Proceedings of the Second Annual Conference on Information Security Curriculum Development, pp. 16–18. ACM, New York, September 2005. https://doi.org/10.1145/1107622.1107627

  6. Cowan, C., Arnold, S., Beattie, S., Wright, C., Viega, J.: DefCon capture the flag: defending vulnerable code from intense attack. In: Proceedings of the 2003 DARPA Information Survivability Conference and Exposition. IEEE Computer Society, Los Alamitos, April 2003. https://doi.org/10.1109/DISCEX.2003.1194878

  7. Hoffman, L.J., Rosenberg, T., Dodge, R., Ragsdale, D.: Exploring a national cybersecurity exercise for universities. IEEE Secur. Priv. 3(5), 27–33 (2005). https://doi.org/10.1109/MSP.2005.120

    CrossRef  Google Scholar 

  8. Leban, B., Bendre, M., Tabriz, P.: Web application exploits and defenses (2017). https://google-gruyere.appspot.com/

  9. Linde, R.R.: Operating system penetration. In: Proceedings of the AFIPS 1975 National Computer Conference, pp. 361–268. ACM, New York, May 1975. https://doi.org/10.1145/1499949.1500018

  10. Mullins, B.E., Lacey, T.H., Mills, R.F., Trechter, J.M., Bass, S.D.: How the cyber defense exercise shaped an information-assurance curriculum. IEEE Secur. Priv. 5(5), 40–49 (2007). https://doi.org/10.1109/MSP.2007.111

    CrossRef  Google Scholar 

  11. Pusey, P., Gondree, M., Peterson, Z.: The outcomes of cybersecurity competitions and implications for underrepresented populations. IEEE Secur. Priv. 14(6), 90–95 (2016). https://doi.org/10.1109/MSP.2016.119

    CrossRef  Google Scholar 

  12. Pusey, P., OBrien, C.W., Lightner, L.: Preparing for the collegiate cyber defense competition (CCDC): a guide for new teams and recommendations for experienced players. National Cyberwatch Center, Largo, January 2015. https://www.nationalcyberwatch.org/resource/resource-guide-preparing-for-the-collegiate-cyber-defense-competition-ccdc-a-guide-for-new-teams-and-recommendations-for-experienced-players-2/

  13. Vigna, G.: Teaching network security through live exercises. In: Irvine, C., Armstrong, H. (eds.) Security Education and Critical Infrastructures. IFIPAICT, vol. 125, pp. 3–18. Springer, Boston (2003). https://doi.org/10.1007/978-0-387-35694-5_2

    CrossRef  Google Scholar 

  14. Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., Shoshitaishvili, Y.: Ten years of iCTF: the good, the bad, and the ugly. In: Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education. USENIX Association, Berkeley, August 2014. https://www.usenix.org/conference/3gse14/summit-program/presentation/vigna

  15. Werther, J., Zhivich, M., Leek, T., Zeldovich, N.: Experiences in cyber security education: the MIT Lincoln laboratory capture-the-flag exercise. In: Proceedings of the Fourth Workshop on Cyber Security Experimentation and Test. USENIX Association, Berkeley, August 2011. http://static.usenix.org/legacy/events/cset11/tech/final_files/Werther.pdf

Download references

Acknowledgements

Thanks to Dan Ragsdale of Texas A&M University and Kara Nance of the Virginia Polytechnic Institute and State University for helpful discussions. The author gratefully acknowledges support of the National Science Foundation under Grant Numbers DGE-1303211 and OAC-1739025, and a gift from Intel Corporation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, Intel Corporation or the University of California at Davis.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Matt Bishop .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 IFIP International Federation for Information Processing

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Bishop, M. (2018). A Design for a Collaborative Make-the-Flag Exercise. In: Drevin, L., Theocharidou, M. (eds) Information Security Education – Towards a Cybersecure Society. WISE 2018. IFIP Advances in Information and Communication Technology, vol 531. Springer, Cham. https://doi.org/10.1007/978-3-319-99734-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-99734-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-99733-9

  • Online ISBN: 978-3-319-99734-6

  • eBook Packages: Computer ScienceComputer Science (R0)