In blacksmith's house, the skewer is not made of wood: evolving a secure platform for security competitions
Abstract
Capture-The-Flag (CTF) are information security competitions. Even though they are organized by experts in the field, the platforms used to run the events are subject to vulnerabilities, just like any other software. Although literature has proposed the NIZKCTF (Non-Interactive Zero-Knowledge Capture the Flag) protocol, in which participants submit a zero-knowledge proof that they have the answers to competition challenges, the implementation of this protocol lacks usability requirements which have only been realized with its use over the years. This paper discusses lessons learned and the adaptations to NIZKCTF made by the organizers of the Pwn2Win CTF from 2017 to 2021.
Keywords:
ctf, nizkctf, security by design, usability
References
Back, A. (2002). Hashcash a denial of service counter-measure. http://www.hashcash.org/hashcash.pdf.
de Leon, D. C., Goes, C. E., Haney, M. A., and Krings, A. W. (2018). Adles: Specifying, deploying, and sharing hands-on cyber-exercises. Computers & Security, 74:12–40.
Karagiannis, S., Maragkos-Belmpas, E., and Magkos, E. (2020). An analysis and evaluation of open source capture the ag platforms as cybersecurity e-learning tools. In IFIP World Conference on Information Security Education, pages 61–77. Springer.
Kucek, S. and Leitner, M. (2020). An empirical survey of functions and congurations of open-source capture the ag (CTF) environments. Journal of Network and Computer Applications, 151:102470.
Likert, R. (1932). A technique for the measurement of attitudes. Archives of psychology.
Magalhães, L., Petri, A. C. F., Alves, G. d. S., Marcondes, C. A. C., and Matias, P. (2017). Provisionamento automatizado de servidores para competições de segurança In Salão de Ferramentas do Simpósio Brasileiro em Segurança da da informação. Informação e de Sistemas Computacionais, Brasília. SBC.
Matias, P., Barbosa, P., Cardoso, T. N., Campos, D. M., and Aranha, D. F. (2018). NIZKCTF: A noninteractive zero-knowledge capture-the-ag platform. IEEE Security & Privacy, 16(6):42–51.
Maxwell, G., Poelstra, A., Seurin, Y., and Wuille, P. (2019). Simple Schnorr multi-signatures with applications to Bitcoin. Designs, Codes and Cryptography, 87(9):2139–2164.
Mendonça, B. d. A. and Matias, P. (2021). Auditchain: a mechanism for ensuring logs integrity based on proof of existence in a public blockchain. In 2021 11th IFIP International Conference on New Technologies, Mobility and Security, pages 1–5.
Senanayake, R., Porras, P., and Kaehler, J. (2019). Revolutionizing the visual design of capture the ag (CTF) competitions. In International Conference on Human-Computer Interaction, pages 339–352. Springer.
Taylor, C., Arias, P., Klopchic, J., Matarazzo, C., and Dube, E. (2017). CTF: State-ofthe-art and building the next generation. In 2017 USENIX Workshop on Advances in Security Education.
Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., and Shoshitaishvili, Y. (2014). Ten years of iCTF: The good, the bad, and the ugly. In 2014 USENIX Summit on Gaming, Games, and Gamication in Security Education.
Zhang, K., Dong, S., Zhu, G., Corporon, D., McMullan, T., and Barrera, S. (2013). picoCTF 2013-toaster wars: When interactive storytelling game meets the largest computer security competition. In 2013 IEEE International Games Innovation Conference, pages 293–299. IEEE.
de Leon, D. C., Goes, C. E., Haney, M. A., and Krings, A. W. (2018). Adles: Specifying, deploying, and sharing hands-on cyber-exercises. Computers & Security, 74:12–40.
Karagiannis, S., Maragkos-Belmpas, E., and Magkos, E. (2020). An analysis and evaluation of open source capture the ag platforms as cybersecurity e-learning tools. In IFIP World Conference on Information Security Education, pages 61–77. Springer.
Kucek, S. and Leitner, M. (2020). An empirical survey of functions and congurations of open-source capture the ag (CTF) environments. Journal of Network and Computer Applications, 151:102470.
Likert, R. (1932). A technique for the measurement of attitudes. Archives of psychology.
Magalhães, L., Petri, A. C. F., Alves, G. d. S., Marcondes, C. A. C., and Matias, P. (2017). Provisionamento automatizado de servidores para competições de segurança In Salão de Ferramentas do Simpósio Brasileiro em Segurança da da informação. Informação e de Sistemas Computacionais, Brasília. SBC.
Matias, P., Barbosa, P., Cardoso, T. N., Campos, D. M., and Aranha, D. F. (2018). NIZKCTF: A noninteractive zero-knowledge capture-the-ag platform. IEEE Security & Privacy, 16(6):42–51.
Maxwell, G., Poelstra, A., Seurin, Y., and Wuille, P. (2019). Simple Schnorr multi-signatures with applications to Bitcoin. Designs, Codes and Cryptography, 87(9):2139–2164.
Mendonça, B. d. A. and Matias, P. (2021). Auditchain: a mechanism for ensuring logs integrity based on proof of existence in a public blockchain. In 2021 11th IFIP International Conference on New Technologies, Mobility and Security, pages 1–5.
Senanayake, R., Porras, P., and Kaehler, J. (2019). Revolutionizing the visual design of capture the ag (CTF) competitions. In International Conference on Human-Computer Interaction, pages 339–352. Springer.
Taylor, C., Arias, P., Klopchic, J., Matarazzo, C., and Dube, E. (2017). CTF: State-ofthe-art and building the next generation. In 2017 USENIX Workshop on Advances in Security Education.
Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., and Shoshitaishvili, Y. (2014). Ten years of iCTF: The good, the bad, and the ugly. In 2014 USENIX Summit on Gaming, Games, and Gamication in Security Education.
Zhang, K., Dong, S., Zhu, G., Corporon, D., McMullan, T., and Barrera, S. (2013). picoCTF 2013-toaster wars: When interactive storytelling game meets the largest computer security competition. In 2013 IEEE International Games Innovation Conference, pages 293–299. IEEE.
Published
2021-10-04
How to Cite
KONDO, Lorhan Sohaky de Oliveira Duda; MENDONÇA, Bruno de Azevedo; SMAIRA, André de Freitas; MATIAS, Paulo.
In blacksmith's house, the skewer is not made of wood: evolving a secure platform for security competitions. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 21. , 2021, Belém.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 365-378.
DOI: https://doi.org/10.5753/sbseg.2021.17328.
