July 15, 2019
CMU places second in MITRE Embedded CTF
The cross-disciplinary team also made an 'impressive discovery' that led to the competition’s first ever 0day Award.
By Deana Lorenzo
A team of students from Carnegie Mellon University (CMU), including four from the Information Networking Institute (INI), finished in second place overall at the 2019 MITRE Embedded Capture the Flag (eCTF) competition, which ran from January to April. They were also recognized for their achievements throughout the event with the Best Writeup Award and the competition’s first ever 0day Award.
The cross-disciplinary CMU team was composed of INI master's students Sam Dlinn, Alex Fulton, Nicholas Kantor, and Wai Tuck Wong; Electrical and Computer Engineering (ECE) master's student Manoj Raghunathan; School of Computer Science (SCS) master's students Lim Wen Shih and Benjamin Michael, and ECE junior Ripley Lyster. Together they worked to design a secure gaming console and attack designs from other university teams. INI Professor Martin Carlisle advised the student team, which competed under the moniker “ROP It Like It’s Hot.”
"I'm incredibly proud of the CMU team's performance in the MITRE eCTF. Not only did they learn a lot and do great work in the scope of the competition, but they also found and fixed a vulnerability in a widely-used open source tool,” said Carlisle.
During the competition, the CMU team made an “impressive discovery:” they found a 0day (previously unaddressed) vulnerability in the U-Boot bootloader, an important open-source software component used in embedded systems. According to Dan Walters, an organizer of the eCTF, the team was “extraordinarily professional” in disclosing the vulnerability.
“The CMU team has an exceptional group of talented, motivated, and intelligent students,” said Walters. “The team reported the vulnerability to MITRE and even sent a patch to the developers. This is exactly the kind of work that we had hoped the competition would inspire students to do.”
MITRE was so impressed with their work and professional response that the organizers created the 0day Award to recognize the team’s handling of the discovery.
“The embedded community as a whole is more secure because of their efforts,” said Carlisle. “This is really what we're trying to do at CMU— teach students skills they'll use to make the world a better place."
The CMU team traveled to MITRE's Bedford campus on April 19, 2019 to present their work and receive their awards. Also competing in the event were teams from Northeastern University, Rochester Institute of Technology, University of Nebraska Omaha, Virginia Tech, Worcester Polytechnic Institute, University of Massachusetts Amherst, University of Connecticut, University of Pennsylvania, and Tufts University.
Q&A with INI's Student Competitors
What was the highlight of the competition for you?
Wai Tuck: The embedded CTF has two distinct phases: a defense phase and an attack phase. There were many highlights, but for me personally, I remember on the first day of the attack phase, Benjamin was at my place doing some other work and they released one of the competitor's design; in a span of the next three hours we broke into everything they had and captured all their flags. That was really fun and we felt really confident going into the competition.
Nick: For me, the highlight of the competition was when our team exploited a complex vulnerability in the U-Boot bootloader that allowed us to gain arbitrary code execution. This exploit took a long time to get working, but was the coolest attack that we did in the competition.
Sam: The highlight of the competition was easily the attack portion. There were some really cool attacks that only worked because we were attacking the bare metal IoT device.
Alex: The highlight of the competition for me was when all of the complicated encryption schemes that we developed for our system finally fell into place, and the hours that we spent working to try and secure the machine finally started working.
What is the value in participating in embedded CTFs, or CTFs in general?
Wai Tuck: It's really about the exposure and the challenge! I think it is easy to get complacent if we just focus on coursework without looking at what others are doing and learning from them. I was really impressed with one of the competitor's design where they completely overhauled the system and made it really difficult for us to break into them. There's knowledge exchange (for example - we did better in exploiting memory corruption vulnerabilities in the software and we shared how we did that) and it's really a place where one can grow and become a better person (and hacker!). It is also really fun to hack with friends!
Nick: The Embedded CTF gives you the opportunity to see just how difficult it is to build something that is “secure.” It’s a very humbling and educational experience when something that you’ve been trying to secure for over a month is hacked into.
Sam: CTFs give people a more "real," hands-on approach to a lot of the topics that are covered in our classes. They add layers of complexity, creativity, and just problem-solving skills in general. They also prepare you for the same sort of issues you may find outside the class room. Also, they're just fun.
Alex: Competing in CTFs like this I found rewarding because it showed how difficult it was to think of all of the possible security concerns, even when everyone was focused on writing secure code. Having the opportunity to break other implementations is something unique to a CTF style competition, and really prepares you for not only offensive security, but also makes you more aware of what types of attacks are possible when trying to defend systems.
How did you prepare to compete and what courses/skills/experiences armed you for success?
Wai Tuck: CMU has great courses which provide solid fundamentals in security. I took 15-487 (Introduction to Computer Security, now 15-330) when I was on exchange here before I started my master’s degree, and in the previous semester I was the teaching assistant for 14-741 (Introduction to Information Security—INI's version of 15-330), so at least in the software domain, I felt pretty good about how we were going to do in the competition. We have had teammates who were ECE majors as well to help us iron out the kinks for the hardware, plus our faculty-in-charge (Prof. Carlisle) was extremely supportive (providing and purchasing the tools we needed when we asked for it) so all these contributed to our performance during the competition.
Nick: A lot of us on the team had taken 14-642 (Introduction to Embedded Systems) and had prior experience in CTFs which I think helped a lot, especially during the attack phase.
Sam: Come to think of it, there were quite a few classes that were helpful, in no particular order: 14-741 (Introduction to Information Security), 18-600 (Foundations of Computer Systems), 14-735 (Secure Coding), 14-819 (Introduction to Software Reverse Engineering), 14-642 (Introduction to Embedded Systems), and 14-829 (Mobile Security). I also did my best to participate in other CTFs before and during the MITRE CTF.
Alex: To prepare for this I took a few of courses, 14-741 (Introduction to Information Security) was a good foundation of general security concepts, 18-732 (Secure Software Systems) was probably the best preparation for implementing a secure implementation of the device. 14-642 (Introduction to Embedded Systems) was useful for some of the ideas about how embedded systems differed from other types of machines and 14-819 (Reverse Engineering) was also helpful for starting off with evaluating the other team's implementation.
For my role on the team, I found that focusing on the programming side to develop the software that we ran—so really being comfortable working with others on large(ish) code bases and using good coding practices—was the most beneficial.
What is an insider tip you can offer fellow or future students who wish to compete in this and other CTF events?
Wai Tuck: Get a bunch of friends who are interested (so that you can spur each other on) and join the Plaid Parliament of Pwning (PPP)! We meet every Friday evening during school term.
Nick: Start early and make sure you understand exactly what’s going on in your system at all points. It only takes one vulnerability for the attackers to get in.
Alex: The best tip I can give is to make sure you completely evaluate the current system, and take the time to understand how all of the parts of the system work together before diving in and implementing things. It was so easy to misunderstand some simple setting that could be exploited, that taking the time initially to really know how the tools that were in place interacted with our code was vital for doing well in the competition.