#RSAC

SESSION ID: HUM-F02

HOW THE BEST LEARN THEIR CRAFT

David Brumley CEO, ForAllSecure Professor, Carnegie Mellon University @thedavidbrumley George Hotz

• First IPhone JailBreak • Playstation 3 • Zero-days in Adobe, Firefox, …

Image Credit: https://goo.gl/rhmFEb 2 Richard Zhu

• Mozilla Firefox (’18) • Microsoft Edge (‘17 & ’18) • iOS Safari (‘17)

Image Credit: https://goo.gl/yY5FRg 3 #1 US Team since 2011 #1 Overall 3 of past 7 years 4 DEFCON wins – most wins in DEFCON history 4 Learning Objectives #RSAC

1. Understand how top experts use capture the flag competitions for deliberate practice.

2. See how hacking competitions gamify learning computer security.

3. Learn how to set up a system for building a top-ranked culture.

5 Basic Knowledge

Question

Flag

6 Basic Knowledge

Answer: FAT

7 Jeopardy-Style CTF Categories

Basic Reverse Network Program Cryptography Forensics Difficulty Knowledge engineering security Exploitation

Caesar Cipher ...... 10 pts

Frequency analysis ...... 20 pts

RSA Encryption ...... 40 pts

RSA Low Exponent ...... 100 pts 8 Gamify Learning

9 1 Applied, deliberate practice

CTF Principles 2 Autodidactic learning

3 Creative problem solving

10 1 Applied, deliberate practice

Reverse Network Program Cryptography Forensics engineering security Exploitation

11 ”Buffer Overflow” User input size programmed Class: 90 minutes lecture 1. Sophomore course 10 bytes 2. Students understand concept long Challenge: Apply knowledge 50 bytes long 1. Real program buffer size? 2. Create long user input? User input given 3. Create specific attack input? 4. …

12 CTF Problem: Show You Can Do It

13 2 Autodidactic Learning

Auto: self didactic: learn

14 Romantic, but not real

Image: http://www.starwars.com/news/6-great-quotes-about-the-force 2 Auto-didactic Learning

Richard didn’t know either. He read up.

16 2 Auto-didactic Learning

4 byte ret address 4 byte ebp

0x70 byte sub = 112 bytes

Answer: 116 17 3 Creative Problem Solving

18 Solution vs Result

Problem in CTFs: “find the flag” • Solution is flag submitted, like 116 here. • Wrong! flag ≠ solution • Flag = result of the solution

This simplicity is fundamental to creativity • Check only the results (i.e., the flag) • Place few constraints on the solution 19 Creativity in problem solving

All valid approaches

20 Hack.IM CTF 2012 Example

• Break into PHP-powered website made by organizers • Reference solution used XPath injection vulnerability

Dutch solution found flaw in PHP, a major programming language 21 Adi Shamir Len Adleman Ron Rivest

RSA is considered mathematically secure.

Picture from http://www.usc.edu/dept/molecular-science/RSA-2003.htm 22 Software Security The crypto (math) doesn’t talk about code (app) Cryptography

23 Timing attacks against crypto

Suppose my wife asks: “Do I look fat in this outfit”

Any hesitation reveals information.

24 Crypto Software

If key = 1, 1 sec. to decrypt

If key = 2, 2 sec. to decrypt

If key = 3, 3 sec. to decrypt …

25 Expert Levels of proficiency recognized authority Advanced applied theory Intermediate practical application Novice limited experience Awareness basic knowledge

26 Jeopardy-Style CTF Attack-Defense CTF Awareness - Intermediate Advanced - Expert

Basic Reverse Network Program Cryptography Forensics Knowledge engineering security Exploitation

......

......

......

......

• Everyone runs same software • Exploit others = gain points • Be exploited = loose points

27 CMU Goals

1 Grow cybersecurity field

2 Identify and attract most promising high school students

3 Systematize the above

28 Year 1: ~10,000 Year 2: ~12,000 Year 3: ~18,000

29 18,000 High School Students

3. Coursework + CTF 1. Run PicoCTF.com 2. Top 50 get recommendation

Run next picoctf 30 Bell-curve of ability System recruits

1 Auto-didactic

2 Demonstrable ability

3 Top talent

Average Exceptional

31 Two Themes

1. CTF problems are a proven, effective way to teach hacking skills

2. You can systematize CTF’s to build your pipeline

32 Next Actions • Incorporate CTF’s into your training

33 Next Actions • Incorporate CTF’s into your training

• Develop system for identifying talent • Build CTF problems representative of skills you care about • Use CTF applications to recruit and/or interview

34 #RSAC

THANK YOU