MITRE's eCTF (embedded capture-the-flag) is an embedded security competition that puts participants through the experience of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, which opens the scope of the challenge to include physical/proximal access attacks. The eCTF is a two-phase competition with attack and defense components. In the first phase, competitors design and implement a secure system based on a set of challenge requirements. The second phase involves analyzing and attacking the other teams’ designs.
How is this different from other Capture the Flag (CTF) competitions?
The eCTF is unique in two major ways. First, the focus is on securing embedded systems, which present an entirely new set of challenges and security issues that are not currently covered by traditional “online” CTFs. Second, this event balances offense and defense by including a significant secure-design phase in addition to an attack phase. This competition will help you develop practical skills that can be applied securing critical systems, such as medical devices, smart grids, IoT devices, and mobile devices.
How does it work?
This event puts competitors through the exercise of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, opening the challenge to include physical/proximal access attacks.
Secure Design ─ Teams design a secure system that meets all the challenge requirements.
Handoff ─ MITRE verifies that each submitted system has met all functional requirements. MITRE posts designs for all teams to evaluate during the attack phase.
Attack ─ Teams perform security evaluations of opposing teams’ systems and request provisionedchips for vulnerable systems. Points are awarded for flags retrieved from successful attacks.
What is this year’s challenge?
Teams will design a secure audio digital rights management (DRM) module for a next-generation multimedia player on the Digilent Cora Z7. The system must be secure to prevent users from playing pirated music, support region locking, and prevent the creation of cloned bootleg players.
Who can participate?
Anyone! Students at all academic levels are welcome to participate. Team sizes are unlimited (although a minimum of 4 students is recommended). Sponsorship of a faculty member is preferred.
Do I need to travel for the competition?
The competition can be done 100% remotely. MITRE will ship all required hardware to the teams at the start of the competition and development can be done directly on your college campus. Once teams have a completed design, they submit the code to MITRE for testing and MITRE will ensure that all challenge requirements are met. Once this verification process is completed, the source code and compiled binaries will be provided to all of the attacking teams.
Once the competition concludes, MITRE hosts an award ceremony where teams are invited to share in their accomplishments, meet participants from other schools, interact with MITRE staff, and see the final standings revealed!
Can I earn college credits?
Work with your professor(s) / faculty advisor to determine how to earn credit at your institution. Most students can earn college credit hours. Remember that this is a significant time commitment, typically commensurate with the credit hours you may receive.
What is provided by MITRE to help?
MITRE provides teams with a reference implementation, embedded hardware, and technical guidance throughout the competition.
Are there awards?
Winning teams receive a cash prize, publicity from MITRE, and typically earn accolades from their university as well. Students have used their participation in eCTF to build resumes, present at conferences, and open the door to valuable internship and career opportunities, including engineering positions at MITRE.
Please contact the MITRE eCTF team at firstname.lastname@example.org
- First Place Overall: DeNUvo -- Northeastern University, advised by Guevara Noubir -- [presentation]
- Second Place Overall: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle -- [presentation]
- Two-way tie for Third Place Overall:
- ZOO_MES -- University of Massachusetts, advised by Wayne Burleson -- [presentation]
- TigerBytes -- Rochester Institute of Technology, advised by Ziming Zhao and Marcin Łukowiak -- [presentation]
- Additional Awards:
- 0Day Award: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle
- Iron Flag: DeNUvo -- Northeastern University, advised by Guevara Noubir
- Best Writeup: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle
- Best Documentation: DeNUvo -- Northeastern University, advised by Guevara Noubir
- Tech Support Hero: ZOO_MES -- University of Massachusetts, advised by Wayne Burleson
- First Place Overall: Hokie Hackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
- Second Place Overall: Anonymous Elephants --Tufts University, advised by Ming Chow
- Third Place Overall: VuPenn --University of Pennsylvania, advised by James Weimer
- Additional Awards:
- First To Market: TechSec --MIT
- Iron Flag 1: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
- Iron Flag 2: 0xbu --Boston University, advised by Renato Mancuso
- Golden Flag: VuPenn --University of Pennsylvania, advised by James Weimer
- Flag Factory: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
- Best Documentation: Nullify --University of Nebraska, Omaha, advised by Bill Mahoney
- Best Writeup: Anonymous Elephants --Tufts University, advised by Ming Chow
- First Place Overall: Firmware Dogs --University of Connecticut, advised by John Chandy
- Mass Attack Winner: Team Sprite --Northeastern University, advised by Guevara Noubir
- Iron Flag Winners:
- Firmware Dogs --University of Connecticut, advised by John Chandy
- pgm_read_flag() --Carnegie Mellon University, advised by Martin Carlisle
- Snorlax --University of Massachusetts- Amherst, advised by Dan Holcomb
- First Place Overall: We're Probably Insecure --Worcester Polytechnic Institute, advised by Thomas Eisenbarth
- Most Flag Points: WillHax4Snacks --Northeastern University, advised by Yunsi Fei
- Iron Flag: Tufts eCTF --Tufts University, advised by Ming Chow