Embedded Capture the Flag

An attack-and-defend exercise for designing secure embedded systems

Register now for the 2019 Collegiate eCTF!

Previous Teams: Your advisor has been sent an email containing the registration link.

New Teams: Please email ectf@mitre.org to receive the registration link.


Overview

MITRE's eCTF (embedded capture-the-flag) is an embedded security competition that puts participants through the experience of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, which opens the scope of the challenge to include physical/proximal access attacks. The eCTF is a two-phase competition with attack and defense components. In the first phase, competitors design and implement a secure system based on a set of challenge requirements. The second phase involves analyzing and attacking the other teams’ designs.


Schedule

2019.01.16:  Phase 1: Design phase begins
2019.03.01:  Phase 2: System handoff and Attack phase begins
2019.04.12:  Scoreboard closes
2019.04.18:  Award ceremony and debrief

Announcements

2018.11.26:  Outreach has begun! We sent out this informational flyer to all past advisors.
2019.01.16:  Ready, set, go! The Official Challenge Doc is now available!

FAQ

How is this different from other Capture the Flag (CTF) competitions?

The eCTF is unique in two major ways. First, the focus is on securing embedded systems, which present an entirely new set of challenges and security issues that are not currently covered by traditional “online” CTFs. Second, this event balances offense and defense by including a significant secure-design phase in addition to an attack phase. This competition will help you develop practical skills that can be applied securing critical systems, such as medical devices, smart grids, IoT devices, and mobile devices.

How does it work?

This event puts competitors through the exercise of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, opening the challenge to include physical/proximal access attacks.

Secure Design ─ Teams design a secure system that meets all the challenge requirements.

Handoff ─ MITRE verifies that each submitted system has met all functional requirements. MITRE posts designs for all teams to evaluate during the attack phase.

Attack ─ Teams perform security evaluations of opposing teams’ systems and request provisionedchips for vulnerable systems. Points are awarded for flags retrieved from successful attacks.

What is this year’s challenge?

Teams will design a secure video game console on the Digilent Arty Z7. The system must attempt to protect the intellectual property of game designers, prevent users from loading their own software, and allow verified users to install and play games that they have purchased.

Who can participate?

Anyone! Students at all academic levels are welcome to participate. Team sizes are unlimited (although a minimum of 4 students is recommended). Sponsorship of a faculty member is preferred.

Can I earn college credits?

Work with your professor(s) / faculty advisor to determine how to earn credit at your institution. Most students can earn college credit hours. Remember that this is a significant time commitment, typically commensurate with the credit hours you may receive.

What is provided by MITRE to help?

MITRE provides teams with a reference implementation, embedded hardware, and technical guidance throughout the competition.

Are there awards?

Winning teams receive a cash prize, publicity from MITRE, and typically earn accolades from their university as well. Students have used their participation in eCTF to build resumes, present at conferences, and open the door to valuable internship and career opportunities, including engineering positions at MITRE.

Questions?

Please contact the MITRE eCTF team at ectf@mitre.org



Previous Competitions:

Collegiate eCTF 2018

  • First Place Overall: Hokie Hackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
  • Second Place Overall: Anonymous Elephants --Tufts University, advised by Ming Chow
  • Third Place Overall: VuPenn --University of Pennsylvania, advised by James Weimer
  • Additional Awards:
    • First To Market: TechSec --MIT
    • Iron Flag 1: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
    • Iron Flag 2: 0xbu --Boston University, advised by Renato Mancuso
    • Golden Flag: VuPenn --University of Pennsylvania, advised by James Weimer
    • Flag Factory: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
    • Best Documentation: Nullify --University of Nebraska, Omaha, advised by Bill Mahoney
    • Best Writeup: Anonymous Elephants --Tufts University, advised by Ming Chow

Collegiate eCTF 2017

  • First Place Overall: Firmware Dogs --University of Connecticut, advised by John Chandy
  • Mass Attack Winner: Team Sprite --Northeastern University, advised by Guevara Noubir
  • Iron Flag Winners:
    • Firmware Dogs --University of Connecticut, advised by John Chandy
    • pgm_read_flag() --Carnegie Mellon University, advised by Martin Carlisle
    • Snorlax --University of Massachusetts- Amherst, advised by Dan Holcomb

Collegiate eCTF 2016

  • First Place Overall: We're Probably Insecure --Worcester Polytechnic Institute, advised by Thomas Eisenbarth
  • Most Flag Points: WillHax4Snacks --Northeastern University, advised by Yunsi Fei
  • Iron Flag: Tufts eCTF --Tufts University, advised by Ming Chow