Uhm….so apparently CTFs have REALLY blown up! As a founding member of Kenshoto, I remember how we pushed the envelope for CTFs (building automatic scoring systems, *actual* challenges, etc.) I was also the VJ for our first two years running, lugging my 500 DVDs with me to play my favorite little esoteric cyberpunk clips from movies (like “Memories“, “Roujin Z“, “Tetsuo“) interspersed with funny video memes.
After I moved to New York, I missed running CTFs so while I was at Matasano I designed the scoring system and all the Reverse Engineering challenges for New York University’s International CSAW CTF competition one year.
So I thought I knew what was up….but DAMN, I had NO idea that CTF has gotten so popular. In my recent trip to Seoul Korea for SecuInside (a conference organized by CTF dominator Beist himself) I was really surprised to see how CTF competitions have taken off on a international scale. South Korea alone has over 3,000 registered CTF teams!
This year SecuInside (held in the Ritz Carleton, Seoul) was host to 7-9 finalist teams, most of which were international (from China, Japan, Germany, Russia, US, etc). The qualifying US team I remembered from our Kenshoto CTFs as the Carnegie Mellon Plaid Parlaiment of Pwning team or (PPP).
There was a time when professional reverse engineers and exploit developers could rightfully scoff at CTF competitions, because honestly back then, they were admittedly pretty lame. But things are really different now.
Over beers in a back alley after-con bar, I asked the PPP team about some of the challenges. The one I found most interesting (and impressed that they solved), was a “fake photo editing web app” that was a compiled binary CGI that did JPEG parsing and rendering back to the browser. The category it was in was “pwnables” which means the team receives a copy of the binary to analyze and weaponize an exploit for. The payload then has to be thrown at a hosted copy of the binary.
Well there was an integer overflow in the JPEG header parsing code which was exploitable. Most of us can find a bug like this but usually under less time constrains. But these guys found this bug pretty early on. It may not seem impressive to seasoned “real-world” bug hunters, but when you are playing CTF you sometimes have no idea what kind of vulnerability you are looking for. Will it be a logic bug? Is it worth opening in IDA? Maybe its simply a lame Time-of-Check-Time-Of-Use on a privileged temp file somewhere? You don’t have the open runway of weeks, months, or *unlimited* like you might on a contractual engagement. You have hours.
Because CTFs are contrived, when they include custom exploitation challenges they can actually be more of a pain than real-world exploitation. In this case, the integer overflow would’ve been a shallow fuzz, but thats AFTER you had to resolve to even look for that “level” of bug and invested the time in building a fuzzer and test harness/fault-detection instrumentation.
If you resolved to open it in IDA, you would’ve had to care enough to mount that logical hurdle we all have when you tell yourself: “ok, guess I am going to just going to have to reverse this entire thing”…you’d have run into the bug early, but still, the hurdle is sometimes enough to make you not care…..and these guys do.
When I learned about this particular challenge and how quickly they solved it, I was really impressed. Miles Davis said this about young musicians: ”One of the reasons I like playing with a lot of young musicians today is because I find that a lot of old jazz musicians are lazy ‘mother-fletchers,’ resisting change and holding on to the old ways because they are too lazy to try something different.”.
I feel the same way about infosec. I am getting old, and lazy, and resistant to change, so talking with these guys who are still excited by this stuff reminds me how excited I used to get and I get to live vicariously through them if only for a bit.
Nonetheless, CTFs really have grown up, and SecuInside is living proof of this on an international scale. The con talks themselves were secondary to the CTF activities which was unique. I liked that. The con itself seemed particularly well organized by very generous and genuinely kind folks. (The con even had some uniquely Korean cultural formalities that you don’t see at other cons) I found it neat that “hacker cons” are getting culturally customized in different countries and are becoming respectable enough to get the attention of bona fide businessmen the world over.
I could tell you more about the conference, but photos are worth a thousand words, so here is a fully captioned photo journal of our experience in Seoul Korea for SecuInside 2012.