#RSAC
SESSION ID: HUM-F02
HOW THE BEST HACKERS LEARN THEIR CRAFT
David Brumley CEO, ForAllSecure Professor, Carnegie Mellon University @thedavidbrumley George Hotz
• First IPhone JailBreak • Playstation 3 • Zero-days in Adobe, Firefox, …
Image Credit: https://goo.gl/rhmFEb 2 Richard Zhu
• Mozilla Firefox (’18) • Microsoft Edge (‘17 & ’18) • iOS Safari (‘17)
Image Credit: https://goo.gl/yY5FRg 3 #1 US Team since 2011 #1 Overall 3 of past 7 years 4 DEFCON wins – most wins in DEFCON history 4 Learning Objectives #RSAC
1. Understand how top experts use capture the flag competitions for deliberate practice.
2. See how hacking competitions gamify learning computer security.
3. Learn how to set up a system for building a top-ranked hacker culture.
5 Basic Knowledge
Question
Flag
6 Basic Knowledge
Answer: FAT
7 Jeopardy-Style CTF Categories
Basic Reverse Network Program Cryptography Forensics Difficulty Knowledge engineering security Exploitation
Caesar Cipher ...... 10 pts
Frequency analysis ...... 20 pts
RSA Encryption ...... 40 pts
RSA Low Exponent ...... 100 pts 8 Gamify Learning
9 1 Applied, deliberate practice
CTF Principles 2 Autodidactic learning
3 Creative problem solving
10 1 Applied, deliberate practice
Reverse Network Program Cryptography Forensics engineering security Exploitation
11 ”Buffer Overflow” User input size programmed Class: 90 minutes lecture 1. Sophomore course 10 bytes 2. Students understand concept long Challenge: Apply knowledge 50 bytes long 1. Real program buffer size? 2. Create long user input? User input given 3. Create specific attack input? 4. …
12 CTF Problem: Show You Can Do It
13 2 Autodidactic Learning
Auto: self didactic: learn
14 Romantic, but not real
Image: http://www.starwars.com/news/6-great-quotes-about-the-force 2 Auto-didactic Learning
Richard didn’t know either. He read up.
16 2 Auto-didactic Learning
4 byte ret address 4 byte ebp
0x70 byte sub = 112 bytes
Answer: 116 17 3 Creative Problem Solving
18 Solution vs Result
Problem in CTFs: “find the flag” • Solution is flag submitted, like 116 here. • Wrong! flag ≠ solution • Flag = result of the solution
This simplicity is fundamental to creativity • Check only the results (i.e., the flag) • Place few constraints on the solution 19 Creativity in problem solving
All valid approaches
20 Hack.IM CTF 2012 Example
• Break into PHP-powered website made by organizers • Reference solution used XPath injection vulnerability
Dutch solution found flaw in PHP, a major programming language 21 Adi Shamir Len Adleman Ron Rivest
RSA is considered mathematically secure.
Picture from http://www.usc.edu/dept/molecular-science/RSA-2003.htm 22 Software Security The crypto (math) doesn’t talk about code (app) Cryptography
23 Timing attacks against crypto
Suppose my wife asks: “Do I look fat in this outfit”
Any hesitation reveals information.
24 Crypto Software
If key = 1, 1 sec. to decrypt
If key = 2, 2 sec. to decrypt
If key = 3, 3 sec. to decrypt …
25 Expert Levels of proficiency recognized authority Advanced applied theory Intermediate practical application Novice limited experience Awareness basic knowledge
26 Jeopardy-Style CTF Attack-Defense CTF Awareness - Intermediate Advanced - Expert
Basic Reverse Network Program Cryptography Forensics Knowledge engineering security Exploitation
......
......
......
......
• Everyone runs same software • Exploit others = gain points • Be exploited = loose points
27 CMU Goals
1 Grow cybersecurity field
2 Identify and attract most promising high school students
3 Systematize the above
28 Year 1: ~10,000 Year 2: ~12,000 Year 3: ~18,000
29 18,000 High School Students
3. Coursework + CTF 1. Run PicoCTF.com 2. Top 50 get recommendation
Run next picoctf 30 Bell-curve of ability System recruits
1 Auto-didactic
2 Demonstrable ability
3 Top talent
Average Exceptional
31 Two Themes
1. CTF problems are a proven, effective way to teach hacking skills
2. You can systematize CTF’s to build your pipeline
32 Next Actions • Incorporate CTF’s into your training
33 Next Actions • Incorporate CTF’s into your training
• Develop system for identifying talent • Build CTF problems representative of skills you care about • Use CTF applications to recruit and/or interview
34 #RSAC
THANK YOU