What was the highlight of the competition for you?

Wai Tuck: The embedded CTF has two distinct phases: a defense phase and an attack phase. There were many highlights, but for me personally, I remember on the first day of the attack phase, Benjamin was at my place doing some other work and they released one of the competitor's design; in a span of the next three hours we broke into everything they had and captured all their flags. That was really fun and we felt really confident going into the competition.

Nick: For me, the highlight of the competition was when our team exploited a complex vulnerability in the U-Boot bootloader that allowed us to gain arbitrary code execution. This exploit took a long time to get working, but was the coolest attack that we did in the competition. 

Sam: The highlight of the competition was easily the attack portion. There were some really cool attacks that only worked because we were attacking the bare metal IoT device.

Alex: The highlight of the competition for me was when all of the complicated encryption schemes that we developed for our system finally fell into place, and the hours that we spent working to try and secure the machine finally started working.

What is the value in participating in embedded CTFs, or CTFs in general?

Wai Tuck: It's really about the exposure and the challenge! I think it is easy to get complacent if we just focus on coursework without looking at what others are doing and learning from them. I was really impressed with one of the competitor's design where they completely overhauled the system and made it really difficult for us to break into them. There's knowledge exchange (for example - we did better in exploiting memory corruption vulnerabilities in the software and we shared how we did that) and it's really a place where one can grow and become a better person (and hacker!). It is also really fun to hack with friends!

Nick: The Embedded CTF gives you the opportunity to see just how difficult it is to build something that is “secure.” It’s a very humbling and educational experience when something that you’ve been trying to secure for over a month is hacked into. 

Sam: CTFs give people a more "real," hands-on approach to a lot of the topics that are covered in our classes. They add layers of complexity, creativity, and just problem-solving skills in general. They also prepare you for the same sort of issues you may find outside the class room. Also, they're just fun.

Alex: Competing in CTFs like this I found rewarding because it showed how difficult it was to think of all of the possible security concerns, even when everyone was focused on writing secure code. Having the opportunity to break other implementations is something unique to a CTF style competition, and really prepares you for not only offensive security, but also makes you more aware of what types of attacks are possible when trying to defend systems.

How did you prepare to compete and what courses/skills/experiences armed you for success?

Wai Tuck: CMU has great courses which provide solid fundamentals in security. I took 15-487 (Introduction to Computer Security, now 15-330) when I was on exchange here before I started my master’s degree, and in the previous semester I was the teaching assistant for 14-741 (Introduction to Information Security—INI's version of 15-330), so at least in the software domain, I felt pretty good about how we were going to do in the competition. We have had teammates who were ECE majors as well to help us iron out the kinks for the hardware, plus our faculty-in-charge (Prof. Carlisle) was extremely supportive (providing and purchasing the tools we needed when we asked for it) so all these contributed to our performance during the competition.

Nick: A lot of us on the team had taken 14-642 (Introduction to Embedded Systems) and had prior experience in CTFs which I think helped a lot, especially during the attack phase. 

Sam: Come to think of it, there were quite a few classes that were helpful, in no particular order: 14-741 (Introduction to Information Security), 18-600 (Foundations of Computer Systems), 14-735 (Secure Coding), 14-819 (Introduction to Software Reverse Engineering), 14-642 (Introduction to Embedded Systems), and 14-829 (Mobile Security). I also did my best to participate in other CTFs before and during the MITRE CTF.

Alex: To prepare for this I took a few of courses, 14-741 (Introduction to Information Security) was a good foundation of general security concepts, 18-732 (Secure Software Systems) was probably the best preparation for implementing a secure implementation of the device. 14-642 (Introduction to Embedded Systems) was useful for some of the ideas about how embedded systems differed from other types of machines and 14-819 (Reverse Engineering) was also helpful for starting off with evaluating the other team's implementation.

For my role on the team, I found that focusing on the programming side to develop the software that we ran—so really being comfortable working with others on large(ish) code bases and using good coding practices—was the most beneficial. 

What is an insider tip you can offer fellow or future students who wish to compete in this and other CTF events?

Wai Tuck: Get a bunch of friends who are interested (so that you can spur each other on) and join the Plaid Parliament of Pwning (PPP)! We meet every Friday evening during school term. 

Nick: Start early and make sure you understand exactly what’s going on in your system at all points. It only takes one vulnerability for the attackers to get in.

Alex: The best tip I can give is to make sure you completely evaluate the current system, and take the time to understand how all of the parts of the system work together before diving in and implementing things. It was so easy to misunderstand some simple setting that could be exploited, that taking the time initially to really know how the tools that were in place interacted with our code was vital for doing well in the competition.