Embedded Capture the Flag (eCTF): Learning about Embedded Systems Security One Flag at a Time

Image courtesy of Pixabay

Author: Amanda Andrei

You are part of the design team tasked with implementing a modern chip-and-PIN ATM system for your newest customer: a large banking chain. The bank has contracted an outside firm to design the user interface of the ATM and wants to maintain the existing bank administration software they currently use, so your design will have to use pre-defined application programming interfaces (APIs). All other design and implementation decisions are up to you.

So starts the challenge for MITRE’s 2018 Embedded Capture-the-Flag (eCTF) competition. Having wrapped up its third year, eCTF provides an opportunity for university students to gain hands-on experience in building, programming, securing, and hacking into embedded systems, thereby also learning important skills in cybersecurity, electrical engineering, and teamwork. 

Capturing Opportunity

Several years ago, Dan Walters, principal embedded security engineer, noticed an opportunity for growth. Education and training existed for students in the areas of embedded system development (programming, designing) or for cybersecurity, but not on embedded systems security. Embedded systems are often portable and used in places where they can be stolen or lost or where an attacker can gain physical access to them. This turns into a different kind of problem from a traditional cybersecurity problem, where attacks take place virtually.

Walters was inspired to create eCTF based on his own experiences in cybersecurity capture-the-flag events. “I’d spend hours reading some of the driest computer manual to understand how to do something that I otherwise would not have the motivation to read through,” he laughs, “but because it would help me solve the challenge and get points for the team, it became easy. Because they’re competitive in nature, to see that live scoreboard, to see your team get points as you solve challenges—it’s just really motivating.” These events spur students to hone in on a topic and do the best they can—not just for themselves, but for their teammates as well.

Designing Real Systems

The first eCTF took place in 2016 with four colleges local to the MITRE Bedford headquarters, with Worchester Polytechnic Institute’s team, We’re Probably Insecure, winning first place. The following year, they expanded to eight schools, with the University of Connecticut’s team, Firmware Dogs, taking the first-place prize. This year, they grew to eleven schools, and Virginia Tech’s Hokie Hackers team won first place.

In the challenge, participants go through an exercise of creating a secure system and learning from their mistakes. Students receive a real, physical embedded device – unique in CTFs! – and are encouraged to consider proper use of hardware security features, such as lock bits and protected memories. “We choose the security challenge based on several criteria,” explains Jeff Hamalainen, lead embedded security engineer and the lead organizer of the 2018 Collegiate eCTF. “We want hardware to be involved, and we want a compelling security use case that’s used in the real world.”

Each team designs a secure system that meets the challenge requirements and hands off the design to MITRE. MITRE then verifies that the system meets the requirements and, if so, posts it for other teams to evaluate. Teams then move into the attack phase, where they perform a security evaluation of all the other opposing teams’ systems. When they identify and exploit a security flaw, they are awarded a “flag” – and points!

Another unique aspect of eCTF is that it lasts an entire semester, instead of only 24 or 48 hours (the common duration of cybersecurity CTFs), giving students the chance to work in-depth over a sustained amount of time. According to Hamalainen, “the fact that it’s stretched out over such a long time allows teams to learn from their mistakes in a way you don’t get in a lot of other CTFs. One year a team made a mistake that sadly ruined a lot of their design, but I can guarantee they will never forget to set the lock bits (that protect against reading out firmware) on their chips again.”

Brian Marquis, now an embedded security engineer at MITRE and part of the 2017 winning team, agrees: “Learning whether or not you lose a flag, especially in the capturing portion—that’s where the magic really happens.” Though his team won without having any of their flags captured, he says, “I definitely learned by going through it and seeing the other vulnerabilities the other teams had that we didn’t think about and that we were fortunate enough to get away with.”

Forging Ahead

The MITRE team is already planning the 2019 challenge. “We’ve picked a new hardware platform that’s much more powerful and interesting,” says Walters, “and we always bring some new mix-in to make it experimental and interesting.” Teaser: it’ll be focused around a video game system. MITRE is also reaching out to external partners to help build the challenge and run the event.

As Marquis sums it up, “Looking at everyone’s code, everyone’s trying to do the same thing, but each team has a different approach. It’s neat to see how everyone approached solving challenges and putting up different defenses. Having this venue to explore the topics is really valuable.”

Visit http://mitrecyberacademy.org/competitions/embedded/ for more details.

eCTF in the news:

Winners from the 2018 Collegiate eCTF

Winners from the 2017 Collegiate eCTF

Winners from the 2016 Collegiate eCTF


Amanda Andrei is a computational social scientist in the Department of Cognitive Sciences and Artificial Intelligence. She specializes in social media analysis, designing innovative spaces, and writing articles on cool subjects.

See also

Consolidating Embedded Systems Security Through Education, Competition, and Business

© 2018 The MITRE Corporation. All rights reserved. Approved for public release.  Distribution unlimited. Case number 18-2429

MITRE’s mission-driven team is dedicated to solving problems for a safer world. Learn more about MITRE.


Pin It on Pinterest

Share This