-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1473ddb
commit 0f03533
Showing
4 changed files
with
178 additions
and
47 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,162 @@ | ||
| # iCTF: the International Capture The Flag Competition | ||
|
|
||
| The International Capture The Flag ("iCTF") is a distributed, wide-area security exercise, which aims to test the security skills of the participants. | ||
| The iCTF is one of the world's largest and longest-running educational hacking competitions and has the goal of educating students about security-related topics in a live setting. | ||
|
|
||
| iCTF 2023 | ||
| --------- | ||
|
|
||
| The iCTF 2023 will take place on December 2, 2023, at 10 am Pacific Time to December 8, 2023, at 4 pm, Pacific Time. | ||
| Registration deadline is November 24th, 2023, at 11:59 pm Pacific Time. | ||
|
|
||
| This edition of the competition has a different design and scope with respect to previous editions of the iCTF, so read the rules and instructions carefully. | ||
|
|
||
| Instructions and Rules | ||
| ---------------------- | ||
|
|
||
| The iCTF contest is multi-site, multi-team hacking contest in which several teams compete independently against each other. | ||
| Different from the past, the 2023 iCTF is challenge-based. | ||
| This means that instead of having the teams attack each other, every team operates independently, trying to solve a set of challenges. | ||
| Each challenge has a flag (which looks like `ictf{ThisIsTheFlag}`) that can only be obtained by solving the challenge. | ||
| Once the challenge is solved, the flag is submitted to a central site for points. | ||
| The team with the most points at the end of the game wins (in case of a draw, the team that obtained the final highest score first wins). | ||
|
|
||
| The competition is educational and has two tracks: one for high school teams and one for undergraduate students. | ||
| Each team cannot be composed of more than 10 people (but an institution can have multiple, non-colluding teams) and must have an associated faculty/lecturer/teacher who is responsible for the ethical behavior of the team. | ||
| The teams need to register using this [form](https://ictf.cs.ucsb.edu/register) by November 24. | ||
| Please use [this link](https://discord.gg/p6NQz422GU) to join the iCTF Discord channel. | ||
|
|
||
| The usual rules of a CTF apply: | ||
| * No Denial of Service (DoS) attacks | ||
| * No sharing flags, exploits, or hints | ||
| * No attacks against the infrastructure | ||
| * The organizers' decisions are final | ||
| * If you misbehave, you will be warned -- if you continue to misbehave you'll be kicked out | ||
|
|
||
| The iCTF is sponsored by the [ACTION NSF AI Institute](https://action.ucsb.edu), and it is organized by [Shellphish](https://www.shellphish.net) and the [UCSB Women in Computer Science group](https://wics-ucsb.github.io/). | ||
|
|
||
| For any questions, please use the Discord channel or send an email to [[email protected]](mailto:[email protected]). | ||
|
|
||
|
|
||
| Workshop for interested teams | ||
| ----------------------------- | ||
| An informational workshop was held on October 6th, 2023 to introduce the iCTF, the workshop [was recorded](https://drive.google.com/file/d/1Dn3EKbIfzEgDeIl0G-Oeh5-sY3lDcoFK/view?usp=share_link). | ||
|
|
||
| <!-- | ||
| History and Background | ||
| ---------------------- | ||
| The iCTF evolved from several security "live exercises" that were carried out locally by Prof. [Giovanni Vigna](http://www.cs.ucsb.edu/~vigna/) at UC Santa Barbara, in 2001 and 2002. | ||
| Motivated by the students' enthusiasm for security competitions, Prof. Vigna carried out the first wide-area edition of the iCTF in December 2003. | ||
| In that CTF, fourteen teams from around the United States competed in a contest to compromise other teams' network services while trying to protect their services from attacks. | ||
| This historical contest included teams from UC Santa Barbara, North Carolina State University, the Naval Postgraduate School in Monterey, the West Point Academy, Georgia Tech, the University of Texas at Austin, and the University of Illinois, Urbana-Champaign. | ||
| In 2004, the iCTF evolved into a truly *international* exercise (hence, the name "iCTF"), which included teams from the United States, Austria, Germany, Italy, and Norway. | ||
| For many years, the iCTF was the world's largest educational security competition and helped popularize this type of event. | ||
| In traditional editions of the iCTF competition, the goal of each team is to maintain a set of services so that they remain available and uncompromised throughout the contest. | ||
| Each team also has to attempt to compromise the other teams' services. | ||
| Since all the teams have access to an identical copy of the virtual host containing the vulnerable services, each team has to find vulnerabilities in their copy of the hosts and possibly fix the vulnerabilities without disrupting the services. | ||
| At the same time, the teams have to leverage their knowledge about the vulnerabilities they found to compromise the servers run by other teams. | ||
| Compromising a service allows a team to bypass the service's security mechanisms and to "capture the flag" associated with the service. | ||
| These flags are then presented to the organizers as "proof of compromise" to receive "attack" points. | ||
| The teams also receive "defense" points if they can keep their services functional and uncompromised. | ||
| At the end of the competition, the team with the most points wins. | ||
| Throughout the years, new competition designs have been introduced that innovated the more "traditional" designs followed in the early editions of the competition. | ||
| More precisely, in 2008 the iCTF featured a separate virtual network for each team. | ||
| The goal was to attack a terrorist network and defuse a bomb after compromising several hosts. | ||
| This competition allowed for the recording of several parallel multi-stage attacks against the same network. | ||
| The resulting dataset has been used as the basis for correlation and attack prediction research. | ||
| In 2009, the participants had to compromise the browsers of a large group of simulated users, steal their money, and create a botnet. | ||
| This design focused particularly on the concept of drive-by attacks, in which users are lured into visiting websites that deliver attacks silently. | ||
| In 2010, the participants were part of a coalition that had to attack the rogue nation of Litya, ruled by the evil Lisvoy Bironulesk. | ||
| A new design forced the team to attack the services supporting Litya's infrastructure only at specific times when certain activities were in progress. | ||
| In addition, an intrusion detection system would temporarily firewall out the teams whose attacks were detected. | ||
| In 2011, the participants had to "launder" their money through the execution of exploits, which had some risks associated with them. | ||
| This created an interesting exercise in evaluating the risk/reward trade-offs in network security. | ||
| In both 2012 and 2013, teams had to "weaponize" their exploits and give them to the organizer, who would then schedule their execution. | ||
| This last design was a first step towards the creation of a "cyber-range" where interesting network datasets (with ground truth) can be created to support security research. | ||
| In 2014, the competition was used as a way to publicize the iCTF Framework. | ||
| To this end, the vulnerable virtual machine contained 42 services from previous iCTF editions, which forced the participants to effectively triage their efforts. | ||
| In 2015, the iCTF followed a novel design: to participate, the teams had to provide a vulnerable service that would become part of the competition. | ||
| As a result, the 2015 iCTF featured 35 new services (and 35 teams) and tested a new set of skills, in addition to attack and defense: the ability to create a well-balanced vulnerable service. | ||
| In 2016, we decided to permanently move the competition to March (and since the decision was made in October, there was no iCTF event in that year). | ||
| In March 2017, the iCTF was run using Amazon Web Services (Amazon's cloud). | ||
| All components were run in an enclave, and the competition, for the first time, was open to the world, resulting in more than 280 teams participating. | ||
| Until then, only academic teams were allowed to participate. | ||
| In March 2019, the iCTF competition continued to be hosted on Amazon AWS infrastructure and introduced a new way of creating and deploying services using containers. | ||
| The competition was held on March 15th, 2019 with almost 400 teams participating. | ||
| In March 2020, the iCTF competition featured a novel component-based deployment mode, that allowed for greater scalability. | ||
| In December 2021, we themed the competition around Decentralized Finance (DeFi), while operating under the duress introduced by COVID. | ||
| In 2022, we didn't have a competition, largely due to the impact of COVID-19 on all of Shellphish's activities. | ||
| --> | ||
|
|
||
| <!-- | ||
| The iCTF Framework | ||
| ------------------ | ||
| Shellphish has made available to the public the iCTF framework, which is the software infrastructure used to run the competition. | ||
| The framework is available for download on GitHub: [https://github.com/shellphish/ictf-framework](https://github.com/shellphish/ictf-framework) | ||
| The iCTF framework is free for both commercial and non-commercial use (donations are welcome!). | ||
| The iCTF competition is based on the iCTF framework and similar competitions can leverage the framework to create other educational security competitions. | ||
| Archive | ||
| ------- | ||
| An archive with resources for previous years can be found here: | ||
| * [Archive](archive/) | ||
| This is a port of an older archive so data is often missing for older entries. | ||
| --> | ||
|
|
||
| Publications | ||
| ------------ | ||
|
|
||
| The organizers of the iCTF have published a number of papers about various aspects of designing and organizing security competitions: | ||
|
|
||
| * "How Shall We Play a Game: A Game-Theoretical Model for Cyber-warfare Games," by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley, in *Proceedings of the IEEE Computer Security Foundations Symposium (CSF)*, Santa Barbara, CA, August 2017. | ||
|
|
||
| * "Shell We Play A Game? CTF-as-a-service for Security Education," by Erik Trickel, Francesco Disperati, Eric Gustafson, Faezeh Kalantari, Mike Mabey, Naveen Tiwari, Yeganeh Safaei, Adam Doupe, and Giovanni Vigna, in *Proceedings of the USENIX Workshop on Advances in Security Education (ASE)*, Vancouver, BC, August 2017. | ||
|
|
||
| * "Ten Years of iCTF: The Good, The Bad, and The Ugly," by Giovanni Vigna, Kevin Borgolte, Jacopo Corbetta, Adam Doupe, Yanick Fratantonio, Luca Invernizzi, Dhilung Kirat, and Yan Shoshitaishvili, in *Proceedings of the USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE)*, San Diego, CA, August 2014. | ||
|
|
||
| * "Do You Feel Lucky? A Large-Scale Analysis of Risk-Rewards Trade-Offs in Cyber Security," by Yan Shoshitaishvili, Luca Invernizzi, Adam Doupe, and Giovanni Vigna, in *Proceedings of the ACM Symposium on Applied Computing (SAC)*, Gyeongju, Korea, March 2014. | ||
|
|
||
| * "Formulating Cyber-Security as Convex Optimization Problems," by Kyriakos Vamvoudakis, Joao Hespanha, Richard Kemmerer, Giovanni Vigna in *Control of Cyber-Physical Systems*, Lecture Notes in Control and Information Sciences, July 2013. | ||
|
|
||
| * "Influence of team communication and coordination on the performance of teams at the iCTF competition," by S. Jariwala, M. Champion, P. Rajivan, and N. Cooke, in *Proceedings of the Annual Conference of the Human Factors and Ergonomics Society*, Santa Monica, CA, 2012. | ||
|
|
||
| * "Hit 'em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness," by Adam Doupe, Manuel Egele, Benjamin Caillat, Gianluca Stringhini, Gorkem Yakin, Ali Zand, Ludovico Cavedon, Giovanni Vigna, in *Proceedings of the Annual Computer Security Applications Conference (ACSAC)*, Orlando, FL, December 2011. | ||
|
|
||
| * "Organizing Large Scale Hacking Competitions," by Nicholas Childers, Bryce Boe, Lorenzo Cavallaro, Ludovico Cavedon, Marco Cova, Manuel Egele, Giovanni Vigna, in *Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)*, Bonn, Germany, July 2010. | ||
|
|
||
| * "Teaching Network Security Through Live Exercises," by Giovanni Vigna, in *Proceedings of the Third Annual World Conference on Information Security Education (WISE)*, Monterey, CA, June 2003. | ||
|
|
||
| * "Teaching Hands-On Network Security: Testbeds and Live Exercises," by Giovanni Vigna, in *Journal of Information Warfare*, vol. 3, no. 2, February 2003. | ||
|
|
||
| <!-- | ||
| Point Of Contact | ||
| ---------------- | ||
| The International Capture The Flag (iCTF) is organized by [Shellphish](https://shellphish.net). | ||
| For information contact [[email protected]](mailto:[email protected]). | ||
| --> |
Oops, something went wrong.