How would you fix a robot from outer space that crash-landed in your backyard? How would you uncover its secrets?
Those are challenges high school students will face in "Toaster Wars," as they strive to learn hacking basics in a computer security competition hosted by two Carnegie Mellon University student-run teams.
The competition — called picoCTF — is designed to pique student interest in the field. It's open nationwide to students in grades 6–12, and interested participants can register for free on the competition website.
PicoCTF was created by Plaid Parliament of Pwning (PPP), a CyLab computer security research team made up of CMU students and staff, and Team Osiris, made up of talented artists and designers from CMU's Entertainment Technology Center (ETC). Currently, over 600 teams are enrolled in the contest, which works out to about 3,000 students.
It is unique in its adventure game-oriented approach to computer security.
"The typical defensive competitions end up with competitors merely running through checklists but CMU's challenge is heavily focused on exploration and improvisation with elements of play," said David Brumley, the Gerard G. Elia Career Development Professor in the Department of Electrical and Computer Engineering and faculty adviser for the two teams.
Brumley says the competition is designed to interest novices and experts alike. Students who participate get hands-on experience in security topics such as cryptography and codes, computer bugs, exploits and defenses.
"PPP has experience in hosting a professional hacking competition — plaidCTF — featuring over 800 teams competing from all over the world," Brumley said. "So developing a similar hacking competition for a younger audience felt like a logical extension and interesting challenge for them."
Hacking competitions are often presented in a "capture-the-flag" format where participants must find hidden clues or flags in digital files or computer systems, referred to as CTFs. This competition was conceived over a casual conversation between visiting representatives of the National Security Agency (NSA) and members of PPP. PPP is among the highest-ranking CTF teams in the world, placing second in 2012 and first in 2011.
"It is important to note that their competitors and colleagues in the contests are not other university teams, but typically professional penetration testing teams," Brumley said.
PicoCTF is a strong example of the university's world-class faculty working directly with students. Brumley is well recognized for his work in the field of computer security, receiving honors such as the USENIX Security best paper awards in 2003 and 2007, a 2010 NSF CAREER award, the 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama, and a 2012 Sloan award.
The students creating the contest come from a range of backgrounds across the university and spent nights and weekends working hard to make picoCTF an event that impacts the state of computer science education in the United States.
PPP member Peter Chapman, a Ph.D. candidate in the computer science department in CMU's School of Computer Science and graduate student lead on the project, says hacking is not only a fun way to garner interest in computer science but perhaps the best possible way to learn about how computer systems work.
"Writing secure code is about understanding the mindset of an attacker," said Chapman. "It is fairly easy to program, and it is not too difficult to find bugs in programs. But to be able to understand precisely how it all works together to the point that you can exploit a computer takes a tremendous amount of understanding. And that is what hacking is really about."
Chapman feels strongly that students can do amazing things when self-motivated to solve a challenge.
"Almost all of our problems will require students to do something they have never done before," he explained. "I want students to walk away from picoCTF with the mindset that they can do seemingly impossible things if they take the time to learn how they work. That's what the best hacks do — the impossible."