A team of Information Networking Institute (INI) students placed third overall in the MITRE Embedded Capture the Flag (CTF) held January 18-April 14.
The semester-long competition required each team to assume the role of defender and attacker on a self-driving car.
“Given the headlines over the past few years, you have one major concern: security!” reads MITRE’s challenge rules. “Can you imagine if someone was able to fly a drone over your car and install new firmware? Or worse, modify your self-driving car over the Internet?”
In the first six weeks, teams designed and implemented a secure bootloader that would mimic the systems that automakers use for in-field firmware updates. The second half of the competition was spent attacking other team’s designs.
The INI team collected 19 flags across five teams and six categories, which was the most number of software flags captured and second most captured flags overall.
I'm really proud of the team, the effort put forth and how much they learned and accomplishedMartin Carlisle, Director of Academic Affairs, Information Networking Institute, Carnegie Mellon University
“In traditional CTFs, problems are written with an intended solution in mind,” said Tiemoko Ballo, Master of Science in Information Security (MSIS) MS28 student. “But this competition required us to design, build, and verify a full product, then identify and exploit vulnerabilities in other team’s designs.”
The result? Every flag captured was satisfying because it involved breaking a real system that another team worked hard to secure.
“I'm really proud of the team, the effort put forth and how much they learned and accomplished,” said Martin Carlisle, INI teaching professor and team advisor. “The specification was written in a way to make it very hard for them to secure their system, but they nonetheless created a system that none of the teams were able to break.”
For 14 weeks, the team’s design successfully withstood attacks and did not lose a single flag to adversaries who had physical access to the team’s provisioned chip and the full source code, earning them the Iron Flag Award.
The team consisted of:
- Karthic Palaniappan (ECE, 2017)
- Mark Horvath (MSIS, MS28)
- Pouria Pezeshkian (Master of Science in Information Networking, MS28)
- Saurabh Sharma (Master of Science in Information Technology-Information Security, MS28)
- Surbhi Shah (MSIS, MS28)
- Tiemoko Ballo (MSIS, MS28).
Professor Carlisle said he anticipates fielding a team in this competition again next year and recommends interested students join the Plaid Parliament of Pwning (PPP) to participate in additional CTFs. Current CMU students can join the PPP mailing list for updated meeting information. PPP typically meets on Fridays during the semester.
Q&A with the team
How did you prepare to compete?
Attending PPP study sessions and working through the practice problems has been immensely helpful in getting started with CTFs. Taking Introduction to Embedded Systems (14-642) got us comfortable working with hardware, many of our attacks and defenses directly related to topics taught in Introduction to Information Security (14-741), and Introduction to Reverse Engineering (14-819) helped us develop an approach to systems problem-solving.
What is the value in participating in CTFs?
It forces you to develop deeper technical understanding, making you both a better attacker and a better defender. You might learn about common cryptographic pitfalls in a classroom setting, but after actually exploiting similar flaws on a real device you’ll never make that mistake yourself. Additionally, you're solving problems by bringing together various points of knowledge in a creative way, which is not only rewarding but also a valuable practical experience.
What is an insider tip you can offer students who wish to compete in this and other CTF events?
Don’t be intimidated by the competitive aspect, just jump in! You’ll learn by doing. And if you get stuck, that's part of the natural process of learning. At those moments, be unstoppable, pull in your network, ask professors and do whatever is necessary to solve the problem. Our team didn’t have any hardware security experience starting out, but working through challenges during this competition taught us a great deal.
Special thanks to Professor Martin Carlisle, Professor Alexander Volynkin and Professor Anthony Rowe for their guidance and support during the competition. Learn more about technical information about the competition.