Embedded Capture the Flag

An attack-and-defend exercise for designing secure embedded systems

Register Now for the 2021 Virtual Collegiate eCTF!

Registration open!


Overview

MITRE's eCTF (embedded capture-the-flag) is an embedded security competition that puts participants through the experience of trying to create a secure system and then learning from their mistakes. The main target is a real physical (or emulated for 2021) embedded device, which opens the scope of the challenge to include physical/proximal access attacks. The eCTF is a two-phase competition with attack and defense components. In the first phase, competitors design and implement a secure system based on a set of challenge requirements. The second phase involves analyzing and attacking the other teams’ designs.


2021 Virtual Challenge

As we expect many teams this year to be competing remotely, the 2021 eCTF will be using emulated hardware of a real ARM target in lieu of physical hardware. This will enable teams to be able to compete even if students are not all on campus. More information will be released at the kickoff.

The 2021 competition will have teams designing a secure communications library for inter-UAV communications.

The kickoff will be on January 20, 2021. Check back soon or join our mailing list for updates and more details about the 2021 competition.

For any specific questions or to join our mailing list, please email ectf@mitre.org


FAQ

How is this different from other Capture the Flag (CTF) competitions?

The eCTF is unique in two major ways. First, the focus is on securing embedded systems, which present an entirely new set of challenges and security issues that are not currently covered by traditional “online” CTFs. Second, this event balances offense and defense by including a significant secure-design phase in addition to an attack phase. This competition will help you develop practical skills that can be applied securing critical systems, such as medical devices, smart grids, IoT devices, and mobile devices.

How does it work?

This event puts competitors through the exercise of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, opening the challenge to include physical/proximal access attacks.

Secure Design ─ Teams design a secure system that meets all the challenge requirements.

Handoff ─ MITRE verifies that each submitted system has met all functional requirements. MITRE posts designs for all teams to evaluate during the attack phase.

Attack ─ Teams perform security evaluations of opposing teams’ systems and request provisionedchips for vulnerable systems. Points are awarded for flags retrieved from successful attacks.

What is this year’s challenge?

Teams will design a secure communications system for a unmanned aerial vehicle (UAV) package delivery system. The system must be secure to prevent attackers from gaining access to the network to spy on and disrupt the UAV system.

Who can participate?

Anyone! Students at all academic levels are welcome to participate. Team sizes are unlimited (although a minimum of 4 students is recommended). Sponsorship of a faculty member is preferred.

Do I need to travel for the competition?

The competition can be done 100% remotely. MITRE will provide teams with servers to develop and compete on. Once teams have a completed design, they submit the code to MITRE for testing and MITRE will ensure that all challenge requirements are met. Once this verification process is completed, the source code and compiled binaries will be provided to all of the attacking teams.

Once the competition concludes, MITRE hosts an award ceremony where teams are invited to share in their accomplishments, meet participants from other schools, interact with MITRE staff, and see the final standings revealed!

Can I earn college credits?

Work with your professor(s) / faculty advisor to determine how to earn credit at your institution. Most students can earn college credit hours. Remember that this is a significant time commitment, typically commensurate with the credit hours you may receive.

What is provided by MITRE to help?

MITRE provides teams with a reference implementation, development servers, and technical guidance throughout the competition.

Are there awards?

Winning teams receive a cash prize, publicity from MITRE, and typically earn accolades from their university as well. Students have used their participation in eCTF to build resumes, present at conferences, and open the door to valuable internship and career opportunities, including engineering positions at MITRE.

Questions?

Please contact the MITRE eCTF team at ectf@mitre.org



Previous Competitions:

Collegiate eCTF 2020

  • First Place Overall: Husky Records -- Northeastern University, advised by Guevara Noubir
  • Second Place Overall: Insecure Example -- University of Cincinnati, advised by Carla Purdy
  • Third Place Overall: Cornell -- Cornell University, advised by Daniel Weber
  • Fourth Place Overall: CyberGatorz -- University of Florida, advised by Mark Tehranipoor
  • Additional Awards:
    • Best Documentation: Husky Records -- Northeastern University, advised by Guevara Noubir
    • Best Write-Up: Husky Records -- Northeastern University, advised by Guevara Noubir
    • Tech Support Hero: Husky Records -- Northeastern University, advised by Guevara Noubir
    • First High School Submission: 0xDACC -- Delaware Area Career Center, advised by Eli Cochran

Collegiate eCTF 2019

  • First Place Overall: DeNUvo -- Northeastern University, advised by Guevara Noubir -- [presentation]
  • Second Place Overall: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle -- [presentation]
  • Two-way tie for Third Place Overall:
    • ZOO_MES -- University of Massachusetts, advised by Wayne Burleson -- [presentation]
    • TigerBytes -- Rochester Institute of Technology, advised by Ziming Zhao and Marcin Łukowiak -- [presentation]
  • Additional Awards:
    • 0Day Award: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle
    • Iron Flag: DeNUvo -- Northeastern University, advised by Guevara Noubir
    • Best Writeup: ROP it like its hot -- Carnegie Mellon University, advised by Martin Carlisle
    • Best Documentation: DeNUvo -- Northeastern University, advised by Guevara Noubir
    • Tech Support Hero: ZOO_MES -- University of Massachusetts, advised by Wayne Burleson

Collegiate eCTF 2018

  • First Place Overall: Hokie Hackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
  • Second Place Overall: Anonymous Elephants --Tufts University, advised by Ming Chow
  • Third Place Overall: VuPenn --University of Pennsylvania, advised by James Weimer
  • Additional Awards:
    • First To Market: TechSec --MIT
    • Iron Flag 1: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
    • Iron Flag 2: 0xbu --Boston University, advised by Renato Mancuso
    • Golden Flag: VuPenn --University of Pennsylvania, advised by James Weimer
    • Flag Factory: HokieHackers --Virginia Tech, advised by Matthew Hicks and Patrick Schaumont
    • Best Documentation: Nullify --University of Nebraska, Omaha, advised by Bill Mahoney
    • Best Writeup: Anonymous Elephants --Tufts University, advised by Ming Chow

Collegiate eCTF 2017

  • First Place Overall: Firmware Dogs --University of Connecticut, advised by John Chandy
  • Mass Attack Winner: Team Sprite --Northeastern University, advised by Guevara Noubir
  • Iron Flag Winners:
    • Firmware Dogs --University of Connecticut, advised by John Chandy
    • pgm_read_flag() --Carnegie Mellon University, advised by Martin Carlisle
    • Snorlax --University of Massachusetts- Amherst, advised by Dan Holcomb

Collegiate eCTF 2016

  • First Place Overall: We're Probably Insecure --Worcester Polytechnic Institute, advised by Thomas Eisenbarth
  • Most Flag Points: WillHax4Snacks --Northeastern University, advised by Yunsi Fei
  • Iron Flag: Tufts eCTF --Tufts University, advised by Ming Chow