Thursday, September 24, 2009

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

Our Hackjam will consist of 10 challenges which relate to Binary Analysis, Reverse Engineering, Exploitation, Web Security, Forensics, and all the other materials that are required to be a hacker. I can guarantee that these problems are not like other CTF's where they have to solve non-sense puzzle, instead of true hacking. We tried to create challenges that greatly resemble real world scenarios and environments, at the same time, adding fun and educational ingredients to them. Trust me, you won't regret it. Sapheads Hackjam

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

By Richard Power

Carnegie Melllon University's "Capture The Flag" (CTF) team, a.k.a. "Plaid Parliament Of Pwning" won third place in a recent Sapheads Hackjam competition.

CyLab researcher David Brumley, the team's faculty sponsor, provides some context: "Capture the Flag is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. There were 100 teams from all over the world, so this is quite an accomplishment. They were top in the US, and solved as many problems as the top two winners."

Brumley also cited CyLab's strong contributor on the success of the effort: "JonghHyup is a visiting scholar at CyLab. Jiyong, Sang Kil, and Ed are all funded by Cylab, and CyLab providing resources and space for the team. Symantec, one of CyLab's corporate partners, was also a sponsor."

Here's the proud roster of Plaid Parliament Of Pwning:

Joseph Ceirante (MS, INI)
Jonathon Cooke (MS, INI)
Brian Pak (Undergrad, CSD)
Sang Kil Cha (MS ECE)
Jiyong Jang (PhD ECE)
JongHyup Lee (Postdoc, ECE)
Ed Schwartz (PhD ECE)
Andrew Wesie (Undergrad, CSD)

Here is my interview with the team.

CyBlog: Describe the nature of this particular CTF contest? And what level of teamwork was required?

Plaid Parliament Of Pwning: General format and rules were similar to other CTF contests, where we need to find a key string to proceed to next stage. However, Sapheads – host of HackJam – claimed that they have differentiated their problem sets from others. Unlike usual CTF contests, they tried to relate problems to real world scenarios.
As problems got harder to solve, teamwork became more critical. The more brains that are coming up with ideas, the more successful you are going to be. It is possible that one person to do entire competition, but doing as a team is more effective and faster.

CyBlog: Give us an example or two of the kinds of problems you had to solve?

Plaid Parliament Of Pwning: Most of the problems required a mixture of several categories of techniques. These categories include binary reverse engineering/exploitation, web hacking, and forensic.
First, for an example of a binary exploitation, we needed to exploit a binary with stack protection that was running on the target server. Specifically, it was checking the integrity of the stack.
Also, as an example of a web hacking, we had to use XSS (Cross Site Scripting) and PHP code injection to access confidential data (in this case, the key phrase).
Third, we also had a forensic problem, where we needed to analyze captured network packets and extract various types of data such as zip and VoIP that gives a hint for password.

CyBlog: What was the most challenging problem you solved successfully and how did you do it?

Plaid Parliament Of Pwning: A problem that was both very interesting and challenging involved reconstructing an OpenSSH private key, that was being used for public key authentication, from the core dump of ssh-agent. This problem was unique because we weren't trying to exploit some bug or reverse a program, since it involved an open source program whose source code was readily available. Instead, it required you to be able to understand the source code quickly, relate it to what was in memory, and extract the information you needed.
Finding the key in memory wasn't too hard. You just needed to follow a couple of pointers and you were at the bytes you need. What made it difficult is the format the key was in: arrays of integers. How does a couple arrays of integers represent the components of an encryption key. Thanks to the source code and Wikipedia, it was trivial to see that each array represented one big number. Then, after sifting through the openSSL source code, which is quite a mess, one can start to imagine how these integers end up representing some really big numbers. And then it is a simple matter of constructing a private key file. Though it was not easy to find documentation for the OpenSSH private keys. Thankfully, after some time, another open source program plus a little luck resulted in a working private key.
Moral of the story, and one that is in the version of openSSH I looked at, letting a program that has your private keys core dump is a really bad idea.

CyBlog: What do such contests teach you about the nature of developing attacks and countermeasures?

Plaid Parliament Of Pwning: One of the ways that the problems got harder is that they started to implement some countermeasures against buffer overflow attacks. Obviously these countermeasures weren't perfect, but they definitely made it more challenging. And this is somewhat realistic: any one with enough time and resources is going to find a way to break your system, the best you can do, for now, is to make it as difficult as you possibly can.

CyBlog: Do you discern any differences in style, skill levels, etc., between hackers from different countries or regions?

Plaid Parliament Of Pwning: What determines the style and skill level between hackers is their past experiences. While the country or region they are from can influence this, it definitely is not a major difference.