54. Why Capture the Flag is More Than Just A Game in Cybersecurity

You may have played the game capture the flag as a kid, but did you know it has another meaning in cybersecurity? Capture the flag (CTF) events in a cybersecurity context ask teams to hack into devices in order to detect vulnerabilities. In this episode, Camille is joined by award-winning academics Ahmad-Reza Sadeghi, a professor at TU Darmstadt in Germany, and JV Rajendran, an assistant professor at Texas A&M, to shed light on these important security exercises and how they’re such a great intersection of industry and academia. Their discussion covers the history of CTF for improving hardware security, what goes into a CTF event, how participants look for vulnerabilities and what those vulnerabilities may be, how CTF events can lead to the discovery of new vulnerabilities on top of the ones already injected into the codes at hand, and more! The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.     We cover: -  The meaning and history of “capture the flag” (CTF) in the digital realm, especially as it applies to hardware security -  The structure of a CTF event and the kinds of tools and resources made available to participating teams -  How people are trained to look for vulnerabilities, and how they might look for those even without a CTF event - The various classes of vulnerabilities, and why the trend of replicating them exists in the first place -  How the pandemic has impacted CTF ... and more.  Tune in!   The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.   Here are some key take-aways: -  The purpose of capture the flag events is for great minds around the world to use their hacking skills to detect vulnerabilities that have purposefully been injected with bugs; that way, product security can be improved based on the findings. -  Similar to the children’s game, CTF events are competitive; they’re all about picking up “digital flags”, trying to outscore competitors along the way. -  CTF participants report back to judges to claim their points at the end of an event, and the results are then used to boost existing and future product security. -  A fantastic outcome of CTF events is that they sometimes lead to the discovery of new vulnerabilities on top of those that have been injected into the codes at hand. -  In addition to CTF events, academia is key in training students what to look for when detecting vulnerabilities in hardware. -  When selecting devices to experimentally hack into, it’s important to consider the popularity of the device, as well as the device’s ability to connect to other devices.   Some interesting quotes from today’s episode: “That's the beauty of the human mind - you can run a lot of artificial intelligence, but nobody has these flashy ideas that come to the human brain.” “If a device exceeds a certain popularity, that means more people are using it, so we buy this device, and we hack into it.” “Jason Fung from Intel came to us and said, ‘Hey, I want to have a discussion with you.’ He was pitching this idea of running the Capture the Flag competitions where he would provide buggy Verilog code, and ask students to find the bugs in the code and start exploiting them. And this was immediately great for me because I was looking for buggy Verilog code, and this guy from Intel comes and says he can provide that. And that's great, not just for training students, but also for my research. So that's how I got attracted to this line of work.”   “Sometimes they even find errors and vulnerabilities that we didn't inject into the code that we sent them. That's also the most important part of it. New vulnerabilities that teams find.”    “There are certain bugs that are more severe. That can be, as I said, remotely exploited even by an attacker who doesn't have the right privileges. Those kinds of attacks are far more serious. And our judges tend to value those attacks a lot more.”   “We cannot put it on a commercial platform because companies would not provide that. But this open source platform, on the other hand, is a good vehicle.”   “That has been a big influence, even for our research, because now we know like, ‘Hey, these are the bugs and the problems that the companies care about. So let's use those things to actually kind of reflect the real world scenario’.”   “Our lab aims to develop techniques to protect the designs against these kinds of attacks.”   “We do a kind of market research. If the device exceeds a certain popularity, that means more people are using it, so we buy this device, and we hack into it.”