2022 eCTF Rules - v1

.pdf

School

Northeastern University *

*We aren’t endorsed by this school

Course

MISC

Subject

Computer Science

Date

Dec 6, 2023

Type

pdf

Pages

25

Uploaded by ProfessorMosquitoPerson1001

Report
2022 Collegiate Embedded Capture-The-Flag (eCTF) Challenge Description v1.0 (2022.01.19))) © 2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-03314-13. Page 1 of 25 2022 Collegiate Embedded Capture-The-Flag (eCTF) Challenge Description v1.0 (2022.01.19) © 2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-03314-13. Challenge Description and Rules: SAFFIRe: a Secure Avionics Flight Firmware Installation Routine
2022 Collegiate Embedded Capture-The-Flag (eCTF) Challenge Description v1.0 (2022.01.19) © 2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-03314-13. Page 2 of 25 Contents 1 Challenge Overview ............................................................................................................................... 4 1.1 Motivational Scenario .................................................................................................................... 4 1.2 Competition Phases ....................................................................................................................... 5 1.2.1 Design Phase .......................................................................................................................... 5 1.2.2 Design Handoff ...................................................................................................................... 5 1.2.3 Attack Phase .......................................................................................................................... 6 2 System Overview ................................................................................................................................... 7 2.1 System Components ...................................................................................................................... 7 2.1.1 Challenge Platform ................................................................................................................ 8 2.1.2 Development Resources ........................................................................................................ 8 2.2 Avionic Device Lifecycle ................................................................................................................. 8 2.2.1 Device Fabrication Trojan Insertion .................................................................................... 9 2.2.2 SAFFIRe Device Creation ........................................................................................................ 9 2.2.3 Firmware and Configuration Image Protection ..................................................................... 9 2.2.4 Aircraft Depot Updates ........................................................................................................ 10 2.2.5 Aircraft Flights ...................................................................................................................... 10 3 Functional Requirements ..................................................................................................................... 10 3.1 System Build ................................................................................................................................. 12 3.2 Device Load .................................................................................................................................. 12 3.3 SAFFIRe Operations ..................................................................................................................... 13 3.3.1 Firmware Protect ................................................................................................................. 13 3.3.2 Configuration Protect .......................................................................................................... 13 3.3.3 Firmware Update ................................................................................................................. 14 3.3.4 Configuration Load .............................................................................................................. 15 3.3.5 Device Boot .......................................................................................................................... 16 3.3.6 Readback .............................................................................................................................. 16 4 Security Requirements ......................................................................................................................... 17 4.1 Confidentiality .............................................................................................................................. 17 4.2 Firmware/Configuration Integrity and Authenticity ................................................................... 17 4.3 Firmware Versioning .................................................................................................................... 17 4.4 Readback Authentication ............................................................................................................ 18
2022 Collegiate Embedded Capture-The-Flag (eCTF) Challenge Description v1.0 (2022.01.19) © 2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-03314-13. Page 3 of 25 5 Attack Phase Operation ....................................................................................................................... 18 5.1 Scenario ....................................................................................................................................... 18 5.2 Design Deployment ...................................................................................................................... 18 6 Scoring ................................................................................................................................................. 19 6.1 Design Phase Flags ....................................................................................................................... 19 6.1.1 Reverse Engineering Challenge ........................................................................................... 20 6.1.2 Side-Channel Analysis Challenge ......................................................................................... 20 6.1.3 Bug Bounty ........................................................................................................................... 20 6.2 Attack Phase Flags ....................................................................................................................... 20 6.2.2 Flag Point Values .................................................................................................................. 22 6.3 Defensive Points .......................................................................................................................... 23 6.4 Documentation Points ................................................................................................................. 23 6.5 Write-Ups ..................................................................................................................................... 23 7 Rules ..................................................................................................................................................... 23 8 Frequently Asked Questions ................................................................................................................ 24
2022 Collegiate Embedded Capture-The-Flag (eCTF) Challenge Description v1.0 (2022.01.19) © 2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-03314-13. Page 4 of 25 1 Challenge Overview 1.1 Motivational Scenario You are part of an elite design and development team at a startup company developing firmware for electronic devices that are used in aircraft (i.e., avionics). The company has had success developing cutting-edge navigation algorithms that will be used worldwide to improve aircraft flight timeliness and cost. However, you have hit a major roadblock during prototyping and testing. Yo u’ve discovered that once your devices ship to airports all over the world you will need to periodically update the in-flight firmware and allow customers to load in flight-specific configurations. How will you support this functionality and ensure that the system is secure? You and your team have been tasked with figuring it out! We need a secure update system the CEO already picked out the name: the Secure Avionics Flight Firmware Installation Routine” (SAFFIRe) . SAFFIRe consists of two parts: 1) the SAFFIRe bootloader for the avionic device and 2) the SAFFIRe host tools. The SAFFIRe bootloader does not run during flight and is instead responsible for installing and launching trustworthy firmware and configurations. Additionally, the bootloader must support a readback mode that lets a legitimate technician request information from the current firmware and configuration. The SAFFIRe host tools allow technicians to package updates and then communicate with the bootloader to install updates and request debug information from the device. Be careful though, as disgruntled employees working in aircraft ground crews may try to install their own malicious firmware and extract your proprietary algorithms, flight configurations, and sensitive device data. Unfortunately, there's one more wrinkle to worry about a recent news article revealed that your hardware manufacturing partner might not be as trustworthy as you’ d like. As a result, some of the hardware that you rely on may contain malicious modifications that impact the security of your system if you aren't careful.
2022 Collegiate Embedded Capture-The-Flag (eCTF) Challenge Description v1.0 (2022.01.19) © 2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-03314-13. Page 5 of 25 1.2 Competition Phases This is a design-build-attack competition with phases for both attack and defense: 1.2.1 Design Phase In the Design Phase, each team must design and implement a system that meets a set of functional requirements and security requirements . Teams will be provided with a reference design that meets the functional requirements but intentionally does not meet any security requirement . Teams may use the reference design as a starting point or build their design from scratch. In either case, the directory structure of the submitted design must match the structure defined in the Technical Specifications Document. During the Design Phase, teams may score points by capturing Design Phase Flags which show that teams are making progress towards a complete design. Flags must be submitted by their deadlines for points to be awarded. New This Year: In addition to the reverse engineering challenges and bug bounty program introduced last year, teams may score points by completing one or more of a series of emulated side-channel analysis challenges. See Section 6.1 for details 1.2.2 Design Handoff Starting March 9 th , each team may submit their completed design to the organizers. The organizers will then verify that their submission meets all functional requirements. If a submitted design passes functional testing, that team moves into the Attack Phase. Therefore, the date and time of transition from Design Phase to Attack Phase may vary between teams. For example: If Team A and Team B both Design Begins January 26th, 2022 Teams design a secure system that meets all the challenge requirements Teams attempt to solve development challenges to retrieve design-phase flags Handoff Begins March 9th, 2022 Teams may submit their designs to the eCTF Organizers Organizers verify that each design has met all the functional requirements Organizers post verified designs for all teams to evaluate during the attack phase Attack Begins immediately after successful completion of Handoff Teams perform a security evaluation of opposing teams' systems Teams demonstrate attacks by retrieving flags Scoreboard closes April 20th, 2022 Awards Ceremony on April 27th, 2022
2022 Collegiate Embedded Capture-The-Flag (eCTF) Challenge Description v1.0 (2022.01.19) © 2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-03314-13. Page 6 of 25 submit systems on the Handoff da te, but only Team A’s system passes the tests, t hen only Team A will move into the Attack Phase while Team B remains in the Design Phase until they submit a system that meets all functional requirements. Each submission should include all source code and documentation for the submitted design. This includes all code necessary for building and running the system in accordance with the system functional requirements. The system source code (and optionally the documentation) must reside in a Git repository, and any extra documentation not stored in the repository must be posted along with the submission request on the team’s official MITRE slack channel. Upon receiving a submission, the eCTF organizers will clone and provision the team’s sy stem via their Git repository. Then, the organizers will run a sequence of test cases that validate whether the system meets the functional requirements. Note : The test cases will not check any security requirements . The eCTF organizers will contact the submitting team within two (2) business days after the submission indicating whether the system is accepted or not. 1.2.2.1 Accepted Designs If a system is accepted, the organizers will inform the team and create a Handoff package that includes all source code, all documentation, and all distributed Attack Phase artifacts (See the Technical Specifications Document for more details). The team must approve of the Handoff package before advancing into the Attack Phase. Note: Teams are not allowed to modify their designs after reviewing the Handoff package. The Handoff package serves as the final opportunity for teams to verify that they have not left any sensitive system materials in their repositories that they do not wish to be publicly known. Any changes to the design or functionality of the submission will require going through the full Handoff process (i.e., functional testing) again before moving to the Attack Phase. 1.2.2.2 Rejected Designs If a system is not accepted, the eCTF organizers will inform the team and provide an explanation for why the design did not pass testing. The submitting team must then revise their design and submit a new version to the organizers. 1.2.2.3 Automated Design Testing New This Year! The eCTF organizers will provide teams with access to an automated testing server that they can use to run their systems through test cases before doing a formal submission. This is intended to improve the turnaround time for getting test results and provide teams with a way to better-validate their designs before submitting to the eCTF organizers. More details on how to use the testing server will be provided during the Design Phase. 1.2.3 Attack Phase During the Attack Phase, each design that has been validated during Handoff will be made available to other teams in the Attack Phase for attack. Teams will be able to attack other teams’ designs in two ways: On a physical microcontroller and/or on a server with an emulated microcontroller and aircraft simulation.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Related Questions
Explain your reasoning and the factors that led you to make each decision below. Debate whether or not the following are copyright infringements or fair uses. 1. You are adapting the popular movie "Pirates of the Caribbean" into a video game. Second, you should cite any images that were utilised in your report that were protected by copyright. Third, your capstone project should include setting up and running an Apache server. Copying and reselling original music CDs to the public after their first release. (Highlight two responses to this assertion).
Tony, a data analyst for a major casino, is working after normal business hours to finish an important project. He realizes that he is missing data that had been sent to his co-worker Robert. Tony had inadvertently observed Robert typing his password several days ago and decides to log into Robert’s computer and resend the data to himself. Upon doing so, Tony sees an open email regarding gambling bets Robert placed over the last several days with a local sports book. All employees of the casino are forbidden to engage in gambling activities to avoid any hint of conflict of interest. Tony knows he should report this but would have to admit to violating the company’s information technology regulations by logging into Robert’s computer. If he warns Robert to stop his betting,he would also have to reveal the source of his information. What does Tony do in this situation?a) Name some six human acts from the excerpt b) Giving three scenarios from the excerpt, evaluate the morality of acts…
1) What is the purpose of creating a security group in an OpenStack environment? [Choose two that apply] a) To open specific ports in the OpenStack environment so that instances can be accessed b) To block all connections to the OpenStack environment c) To give users access to the OpenStack Dash Board d) To secure the infrastructure and prevent unauthorized access
Several credit card firms now give users one-time-use credit card numbers as an extra layer of security for online purchases. There is just one purpose for these numerals. Customers may get the one-time-use number by visiting the website of the organization that issued their credit card. What are the advantages of employing this technology as opposed to more traditional methods of utilising credit card numbers? What are the advantages and disadvantages of employing this approach as opposed to using an electronic payment gateway for your own authentication?
13. What is the encryption value for the following parameters using the RSA algorithm? p-3; q-11; e-7, M-5 a C-26 Oc-14 c. C-57 d. C- 19
Specifications: Assume the following prompt. - There exists a 'Host Web Client', which interacts with: - A 'Remote Web Server' via HTTP request/response cycle - An external 'User' via a generic command/service cycle - A 'File System' using a read/write cycle For the given prompt, perform threat modeling. Which is: build a data flow diagram, identify threats using STRIDE approach, and propose mitigations for the identified threats. Verification of the threats and verification of the mitigations is not a requirement.
Discuss the following types of security vulnerabilities that affect code: Buffer Overflow Code Injection. You have an online web store having URL mystore.com. Explain why the following hyperlinks (URL) are not very safe, and how will you make them secure: http://www. com/ distributor/distributor.asp?distID=123 http://www. com/changepassword.php?userID=123
Deadlock Prevention requires what?
Deadlock Prevention requires what conditions?
DT ATC RS3 (config)# username techadmin password 63t0ut0fh3r3! DT ATC_RS3 (config) # enable secret 5tayout!!e! DT ATC_RS3 (config) # service password-encryption DT ATC_RS3 (config) # login block-for 180 attempts 2 within 60 DT ATC_RS3 (config) # 1ine console 0 DT ATC_RS3 (config-line) # login local DT_ATC_RS3(config-line) # end DT ATC RS3# exit Refer to the exhibit. The exhibited configuration is entered by a network administrator into a new router. Sometime later a network technician proceeds to log in to the router via a console connection. The technician enters techadmin as the user name and tries a password of 63t0utOfh3r3!. What will be the result of this action? O The router will display the DT_ATC_RS3> prompt. O The router will be locked for 2 minutes and 30 seconds. O The router will deny access and display a banner message. O The router will deny access and display an error message.
This exercise uses your programming environment to enhance the Web site you created last week with additional functionality to include images, tables and a Form using Python flask. Specifically, you will add two (2) additional routes allowing a user to register and login to a web site. Additional security considerations include other routes (beyond the register route) will not be accessible until a successful login has occurred. In addition to the requirements list above the following functionality should be found within your web site on one or more web pages.  Add at least 4 different images. The images should be local in your environment. For example, they should be saved in your environment and referenced similar to this syntax:  A Table with at least 4 rows and 3 columns.  A user registration form  A user login form  A password complexity should be enforced to include at least 12 characters in length, and include at least 1 uppercase character, 1 lowercase character, 1 number…
This exercise uses your programming environment to enhance the Web site you created last week with additional functionality to include images, tables and a Form using Python flask. Specifically, you will add two (2) additional routes allowing a user to register and login to a web site. Additional security considerations include other routes (beyond the register route) will not be accessible until a successful login has occurred. In addition to the requirements list above the following functionality should be found within your web site on one or more web pages.  Add at least 4 different images. The images should be local in your environment. For example, they should be saved in your environment and referenced similar to this syntax:  A Table with at least 4 rows and 3 columns.  A user registration form  A user login form  A password complexity should be enforced to include at least 12 characters in length, and include at least 1 uppercase character, 1 lowercase character, 1 number…
How is an X.509 certificate revoked?
The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit entity organizing Internet domain names. It is governed by a board of directors elected by various groups with commercial interests in the Internet. One of ICANN's functions is to authorize an entity as a registry for certain "Top Level Domains" (TLDS). ICANN entered into an agreement with VeriSign to serve as a registry for the ".com" TLD to provide registry services in accordance with ICANN's specifications. VeriSign complained that ICANN was restricting the services that it could make available as a registrar and blocking new services, imposing unnecessary conditions on those services, and setting prices at which the services were offered. VeriSign claimed that ICANN's control of the registry services for domain names violated Section 1 of the Sherman Act. Using the information presented in the chapter, answer the following questions. 1. Should ICANN's actions be judged under the rule of reason or be…
For the CoinMiner malware, please write a short paragraph based on the given background and website info: CoinMiner – Trojan CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware. https://www.cisecurity.org/insights/blog/top-10-malware-december-2022   Coin Miner is a malware type that uses the hardware elements of the victim’s PC to mine cryptocurrencies. Most often, crooks who control such coin miner virus (Monero (XMR) or (Litecoin an example), as they are the easiest for mining. They can use the software that is similar or even completely repeats the one used for legit mining, but with a key difference - people whose hardware is used never agreed for this.…
Alert dont submit AI generated answer.
Using C# in Visual Studio: Create the graphical user interfaces as shown below. Provide appropriate names for all the controls.
What was the final set of criteria utilized by the National Institute of Standards and Technology (NIST) to evaluate prospective AES ciphers?
12. In addition to the NST Digital Signature Algorithm and ECDSA, the 2009 version of FIPS 186 also includes several techniques based on --------------, all of which were developed by RSA Laboratories and are in wide use.    14. FIPS 186-3 incorporates digital signature algorithms based on RSA and on --------------- cryptography.
Create two tutorials for Help Desk interns, describing how to set up web technologies for the new operating system for use with a specific web browser. Prepare one tutorial for setting the company website as the employees' homepage. The second tutorial should describe how to enable and disable cookies.
SEE MORE QUESTIONS
Recommended textbooks for you
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
SEE MORE TEXTBOOKS
Related Questions
SEE MORE QUESTIONS
Recommended textbooks for you
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
SEE MORE TEXTBOOKS