DEFCON CTF - AS RUN BY DDTEK
The DEFCON Capture the Flag computer hacking competition is currently largest in the world. Thousands of people from around the world participate in the Qualifications Round (quals) vying for one of twenty spots to compete as with their team at the CTF contest in Las Vegas during DEFCON. In years past, participants work to answer computer security related questions in a game reminiscent of the TV show Jeopardy during the Qualifications Round. In past CTF contests, teams have competed by attacking and defending computer systems assigned to their team.
Scoring a CTF is a challenging proposition. In order to become a master of binjitsu, it is essential to understand how you will be measured.
True binjitsu masters understand that the path to enlightenment may only be achieved by maintaining the delicate balance between the offensive and the defensive arts. This year CTF scoring adopts an entirely new approach to measuring what is happening in the game and is designed to reward offensive as well as defensive excellence. Services constitute the heart of the CTF game. Each team must attack and defend identically configured servers, each running some number of custom services. The idea is to analyze the custom services for vulnerabilities and to develop both an attack and a defense strategy for each service. By exploiting a service an attacker gains access to privileged information which is generally referred to as a key, a flag, or a token. Keys may be readable (steal information), writable (corrupt information), or both. Teams demonstrate that they have stolen information by turning stolen keys into a key submission server. Teams demonstrate that they can deface a service by overwriting keys with a replacement key unique to the attacker. For both of these activities, teams are awarded points. In order to keep things interesting, keys are periodically updated by the contest organizers, allowing teams to demonstrate that they can maintain continued access to their victim's data through submission or corruption of the new key values. Additionally the period during which teams may submit stolen keys is finite (for example within 30 minutes following the steal) in order to reduce the effects of key hoarding (displayed score not representative of actual score) and key sharing (where teams obtain keys by trading with other teams rather than via attacking other teams).
Rather than simply awarding a point per stolen or overwritten key, the scoring system this year will treat keys as commodities (such as diamonds). The following factors are taken into account when deriving a team's overall score:
- The more keys that are stolen/overwritten for a particular service, the less each key is worth.
- Teams earn more points for demonstrating diversity of attack across a given service. In other words, teams can score points for attacking the weakest defender, but they can earn far more points by demonstrating that they can attack the stronger teams as well.
- The longer a team's attacks go unnoticed, the longer that a team remains the sole possessor of an 0-day, the more points a team can accrue for a given service.
Teams are awarded points as follows:
- For a given service up to 1800 points are available for distribution to the teams. 900 points for reading keys from their 9 opponents and 900 points for overwriting keys of their 9 opponents.
- For a given attacker, a given victim V, and a given service S, the attacker's partial score for the stealing keys from the service is their percentage (0-100) of all keys stolen from V via service S.
- For a given service S, an attacker's score for service S is the sum of the their partial scores (across all of the other teams) for that service.
- A team's overall raw score is the sum of its scores across all services in the game.
- A team's raw score is then multiplied by a measure of the availability of the team's services for the duration of the game. Note that availability does not imply the service is unexploitable, so the team may not in fact be defending the service.
One example of a partial score awards a team 100 points if they are the only team to steal keys for service S from victim V, even if the attacker steals only one key. Thus this is a very valuable key. In another example team 1 may have stolen 400 keys, team 2 300 keys, team 3 200 keys, and team 4 100 keys from service S on victim V. In this second case, the teams are awarded 40, 30, 20, and 10 points respectively. In this case, individual keys are worth less because keys for this service are common.
Item 5 above is meant to ensure that a team does not simply shut down all of its services in order to achieve a perfect defense.
An interesting effect that may be observed under this scoring system is that a team's score may actually decrease from time to time. For example, the first team to submit a key for a service/victim will have the one and only key submitted and therefore a partial score of 100 (percent) for that service. If a second team submits a key for the same service/victim each team's partial score will now be 50 points and the first team will see a decrease in their score owing to the fact that their 0-day is no longer as valuable as it once was. On the other hand if the first team manages to capture 99 keys before the second team submits their first key, the first team will see their score drop almost imperceptibly from 100 to 99 while the second team's score will be only 1. This situation reflects the first team's near monopoly on the given key type.
Those familiar with the 'breakthrough' system of past CTFs, may note that there is no mention of breakthroughs in the description above. We feel that this scoring system rewards 0-day when 0-day is used effectively to build one's hoard of keys ahead of any other team developing their own version of the same exploit. Further this system allows teams to delay the use of their 0-day in order to keep the number of keys in play to a minimum with the associated risk that another team will beat them to the punch. Thus, in addition to testing a team's offensive and defensive skills, this scoring system attempts to make teams consider the strategy of how, when, and where to make use of their 0-day.
DEFCON CTF HISTORY
|CTF||DC||Year||winner||host||title||OS||(number of teams)|
|4||7||1999||ghettohackers||goons||ctf||up to team|
|5||8||2000||ghettohackers||goons||ctf||up to team|
|6||9||2001||ghetto+digirev||goons||ctf||up to team|
|7||10||2002||digirev||ghettohackers||root fu||redhat 6.2||8|
|10||13||2005||shellphish||kenshoto||war gamez||freebsd 5.4||8|
|11||14||2006||1@stplace||kenshoto||war gamez||solaris 10||8|
|16||19||2011||European Nopsled Team||ddtek||binjitsu||freebsd||12|
*well actually 9, as the team "sk3wl0fr00t" was actually ddtek running the game from a team table
Capture the Flag is one of the oldest contests at Defcon dating back to Defcon 4. In the past few years, "capturing the flag" has become a popular moniker for all kinds of contests, and the sheer quantity of CTFs has been increasing steadily. Defcon CTF is one of the (if not the) oldest CTF that continues to run today. Here you can find a brief history of the contest and its evolution.
Defcon 4 was the first time CTF was really formalized into a contest - judges now decided when a points should be awarded. In Defcon 5 and 6, participants could either provide a target or attack provided targets for points, as you might imagine this amount of flexibility led to chaos on the game floor. Over the years, the game has matured and events such as point scoring have largely been automated (heavily in many cases), this maturity is largely a result of having dedicated, non-defcon organizers. Naming the organizer early allows the organizer to dedicate time to game structure and infrastructure.
After a display of dominance in DC7-9, the ghettohackers became contest organizers for three years, before giving the reigns up to Kenshoto. After winning twice (and coming very close to winning several other times) ddtek took over contest organization for DC17 (ddtek is a subgroup of Sk3wl0fr00t). During DC7-9 the contest seemed to be about equally as much about hacking the contest as hacking the game servers.
Since DC10, CTF has been about custom services, pwn others', patch and protect your own. Each organizer has built on this model with technology aimed at preserving a fair game, additional twists such as scoring methods, and ever increasing difficulty. Recent organizers have chosen to keep the game layout secret until the game starts, participants do not necessarily know the scoring algorithm, network structure, or operating systems involved. At its core CTF is meant to test computer and network security. To some, that seems to be a fairly narrow focus area, but most Defcon attendees realize that "cyber security" is actually a very large and diverse field. Services range from poorly implemented or configured crypto, SQL-injection, cross-site-scripting, buffer overflows, timing attacks, heap exploits, malformed network constructs, custom interpreters, the list is truly endless. What will the contest bring this year?
As the contest matured, teams started participating regularly and more desired to play. A method of "qualifying" was implemented similar to the Olympics and other sporting events. For the past several years a qualification weekend has pitted teams against a set of challenges and the clock. Teams with the most points at the end are invited to participate in person at Defcon. Beginning with DC19, winners are invited from other CTF's deemed to have a challenging enough contest, a respectible heritage, and a fair process. These CTF winners are essentially pre-qualified for Defcon CTF, making CTF a veritable "best of the best." There is really no excuse to not participate in quals, if you're reading this, you should register and participate next year. Phrases like "placing 132nd feels like quite an accomplishment" tend to appear on social networks.
In 2009 ddtek, an unknown name in the community, was announced as the CTF organizer. From the time of organizer announcement, through qualification round, a lot of google-translated IRC, and even through the entire contest during Defcon, nobody suspected that the folks sitting at the sk3wl0fr00t contest table were actually running the game! "Hacking the top hacker contest" seemed like a fun way to introduce ourselves to CTF organization. The yells of "bullshit" from CTF teams during the Defcon 17 awards ceremony were very gratifying.