Embedded Capture the Flag

An attack-and-defend exercise for designing secure embedded systems

The 2020 eCTF is now over!

We hosted our largest competition this year with 20 schools participating from across the United States. The challenge this year was to design a secure music player that supported many common operations (play, pause, stop), while also supporting more complex features (allowing members of the same family to share songs with each other). In addition, teams had to protect against attacking teams from capturing 5 flags:

  1. Region Lock: Prevent a song from playing on a player from a different region.
  2. Custom Music: Prevent "illegally" acquired music from being played on the player.
  3. Music Tamper: Prevent playing of tampered audio files.
  4. Unauthorized Play: Prevent users who do not own songs from playing them.
  5. Pin Extraction: Prevent the theft of user credentials.
All of the teams did an incredible job this year and we received some truly impressive designs. We are very proud of the accomplishments of all of the participants, and we look forward to recognizing them at the Award Ceremony.

To learn more about the 2020 competition, please see the introduction flyer, rules for this year, and insecure example repository

For any specific questions or to join our mailing list, please email ectf@mitre.org


2020 Award Ceremony - May 6th

The schedule for the 2020 Award Ceremony is posted below. The ceremony will take place on Zoom, however, we will be airing the pre-recorded student presentations on https://twitch.tv/ectf. We recommend that attendees keep both the Zoom call and the twitch stream running in separate tabs throughout the day as only one will be "live" at a time. Following each presentation will be a 5 minute Q&A block with the team on Zoom. We will also have two networking blocks which provide the opportunity to ask any additional questions, as well as a chance to network with other participants and the MITRE and Riverside Research staff.

Start Time (Eastern) Title
11:00 Competition Overview
11:15 Guest Speaker: Dr. Wayne Burleson - Professor of Electrical and Computer Engineering at UMass Amherst
11:30 Purdue Presentation
11:40 Delaware Area Career Presentation
11:50 Morgan State University Presentation
12:00 Lunch Break and Networking
12:20 Rochester Institute of Technology Presentation
12:30 Texas A&M Presentation
12:45 Florida International University Presentation
13:00 University of Cincinnati Presentation
13:15 University of Florida Presentation
13:30 Cornell University Presentation
13:45 Northeastern University Presentation
14:00 Networking
14:30 Award Presentation: Introduction by MITRE VP Dr. Charles Clancy
15:15 Closing Thoughts

Overview

MITRE's eCTF (embedded capture-the-flag) is an embedded security competition that puts participants through the experience of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, which opens the scope of the challenge to include physical/proximal access attacks. The eCTF is a two-phase competition with attack and defense components. In the first phase, competitors design and implement a secure system based on a set of challenge requirements. The second phase involves analyzing and attacking the other teams’ designs.


FAQ

How is this different from other Capture the Flag (CTF) competitions?

The eCTF is unique in two major ways. First, the focus is on securing embedded systems, which present an entirely new set of challenges and security issues that are not currently covered by traditional “online” CTFs. Second, this event balances offense and defense by including a significant secure-design phase in addition to an attack phase. This competition will help you develop practical skills that can be applied securing critical systems, such as medical devices, smart grids, IoT devices, and mobile devices.

How does it work?

This event puts competitors through the exercise of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, opening the challenge to include physical/proximal access attacks.

Secure Design ─ Teams design a secure system that meets all the challenge requirements.

Handoff ─ MITRE verifies that each submitted system has met all functional requirements. MITRE posts designs for all teams to evaluate during the attack phase.

Attack ─ Teams perform security evaluations of opposing teams’ systems and request provisionedchips for vulnerable systems. Points are awarded for flags retrieved from successful attacks.

What is this year’s challenge?

Teams will design a secure audio digital rights management (DRM) module for a next-generation multimedia player on the Digilent Cora Z7. The system must be secure to prevent users from playing pirated music, support region locking, and prevent the creation of cloned bootleg players.

Who can participate?

Anyone! Students at all academic levels are welcome to participate. Team sizes are unlimited (although a minimum of 4 students is recommended). Sponsorship of a faculty member is preferred.

Do I need to travel for the competition?

The competition can be done 100% remotely. MITRE will ship all required hardware to the teams at the start of the competition and development can be done directly on your college campus. Once teams have a completed design, they submit the code to MITRE for testing and MITRE will ensure that all challenge requirements are met. Once this verification process is completed, the source code and compiled binaries will be provided to all of the attacking teams.

Once the competition concludes, MITRE hosts an award ceremony where teams are invited to share in their accomplishments, meet participants from other schools, interact with MITRE staff, and see the final standings revealed!

Can I earn college credits?

Work with your professor(s) / faculty advisor to determine how to earn credit at your institution. Most students can earn college credit hours. Remember that this is a significant time commitment, typically commensurate with the credit hours you may receive.

What is provided by MITRE to help?

MITRE provides teams with a reference implementation, embedded hardware, and technical guidance throughout the competition.

Are there awards?

Winning teams receive a cash prize, publicity from MITRE, and typically earn accolades from their university as well. Students have used their participation in eCTF to build resumes, present at conferences, and open the door to valuable internship and career opportunities, including engineering positions at MITRE.

Questions?

Please contact the MITRE eCTF team at ectf@mitre.org



Previous Competitions:

Collegiate eCTF 2019

  • First Place Overall: DeNUvo -- Northeastern University, advised by Guevara Noubir -- [presentation]
  • Second Place Overall: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle -- [presentation]
  • Two-way tie for Third Place Overall:
    • ZOO_MES -- University of Massachusetts, advised by Wayne Burleson -- [presentation]
    • TigerBytes -- Rochester Institute of Technology, advised by Ziming Zhao and Marcin Łukowiak -- [presentation]
  • Additional Awards:
    • 0Day Award: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle
    • Iron Flag: DeNUvo -- Northeastern University, advised by Guevara Noubir
    • Best Writeup: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle
    • Best Documentation: DeNUvo -- Northeastern University, advised by Guevara Noubir
    • Tech Support Hero: ZOO_MES -- University of Massachusetts, advised by Wayne Burleson

Collegiate eCTF 2018

  • First Place Overall: Hokie Hackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
  • Second Place Overall: Anonymous Elephants --Tufts University, advised by Ming Chow
  • Third Place Overall: VuPenn --University of Pennsylvania, advised by James Weimer
  • Additional Awards:
    • First To Market: TechSec --MIT
    • Iron Flag 1: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
    • Iron Flag 2: 0xbu --Boston University, advised by Renato Mancuso
    • Golden Flag: VuPenn --University of Pennsylvania, advised by James Weimer
    • Flag Factory: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
    • Best Documentation: Nullify --University of Nebraska, Omaha, advised by Bill Mahoney
    • Best Writeup: Anonymous Elephants --Tufts University, advised by Ming Chow

Collegiate eCTF 2017

  • First Place Overall: Firmware Dogs --University of Connecticut, advised by John Chandy
  • Mass Attack Winner: Team Sprite --Northeastern University, advised by Guevara Noubir
  • Iron Flag Winners:
    • Firmware Dogs --University of Connecticut, advised by John Chandy
    • pgm_read_flag() --Carnegie Mellon University, advised by Martin Carlisle
    • Snorlax --University of Massachusetts- Amherst, advised by Dan Holcomb

Collegiate eCTF 2016

  • First Place Overall: We're Probably Insecure --Worcester Polytechnic Institute, advised by Thomas Eisenbarth
  • Most Flag Points: WillHax4Snacks --Northeastern University, advised by Yunsi Fei
  • Iron Flag: Tufts eCTF --Tufts University, advised by Ming Chow