How the Best Hackers Learn Their Craft

How the Best Hackers Learn Their Craft

#RSAC SESSION ID: HUM-F02 HOW THE BEST HACKERS LEARN THEIR CRAFT David Brumley CEO, ForAllSecure Professor, Carnegie Mellon University @thedavidbrumley George Hotz • First IPhone JailBreak • Playstation 3 • Zero-days in Adobe, Firefox, … Image Credit: https://goo.gl/rhmFEb 2 Richard Zhu • Mozilla Firefox (’18) • Microsoft Edge (‘17 & ’18) • iOS Safari (‘17) Image Credit: https://goo.gl/yY5FRg 3 #1 US Team since 2011 #1 Overall 3 of past 7 years 4 DEFCON wins – most wins in DEFCON history 4 Learning Objectives #RSAC 1. Understand how top experts use capture the flag competitions for deliberate practice. 2. See how hacking competitions gamify learning computer security. 3. Learn how to set up a system for building a top-ranked hacker culture. 5 Basic Knowledge Question Flag 6 Basic Knowledge Answer: FAT 7 Jeopardy-Style CTF Categories Basic Reverse Network Program Cryptography Forensics Difficulty Knowledge engineering security Exploitation Caesar Cipher ... ... ... ... ... 10 pts Frequency analysis ... ... ... ... ... 20 pts RSA Encryption ... ... ... ... ... 40 pts RSA Low Exponent ... ... ... ... ... 100 pts 8 Gamify Learning 9 1 Applied, deliberate practice CTF Principles 2 Autodidactic learning 3 Creative problem solving 10 1 Applied, deliberate practice Reverse Network Program Cryptography Forensics engineering security Exploitation 11 ”Buffer Overflow” User input size programmed Class: 90 minutes lecture 1. Sophomore course 10 bytes 2. Students understand concept long Challenge: Apply knowledge 50 bytes long 1. Real program buffer size? 2. Create long user input? User input given 3. Create specific attack input? 4. … 12 CTF Problem: Show You Can Do It 13 2 Autodidactic Learning Auto: self didactic: learn 14 Romantic, but not real Image: http://www.starwars.com/news/6-great-quotes-about-the-force 2 Auto-didactic Learning Richard didn’t know either. He read up. 16 2 Auto-didactic Learning 4 byte ret address 4 byte ebp 0x70 byte sub = 112 bytes Answer: 116 17 3 Creative Problem Solving 18 Solution vs Result Problem in CTFs: “find the flag” • Solution is flag submitted, like 116 here. • Wrong! flag ≠ solution • Flag = result of the solution This simplicity is fundamental to creativity • Check only the results (i.e., the flag) • Place few constraints on the solution 19 Creativity in problem solving All valid approaches 20 Hack.IM CTF 2012 Example • Break into PHP-powered website made by organizers • Reference solution used XPath injection vulnerability Dutch solution found flaw in PHP, a major programming language 21 Adi Shamir Len Adleman Ron Rivest RSA is considered mathematically secure. Picture from http://www.usc.edu/dept/molecular-science/RSA-2003.htm 22 Software Security The crypto (math) doesn’t talk about code (app) Cryptography 23 Timing attacks against crypto Suppose my wife asks: “Do I look fat in this outfit” Any hesitation reveals information. 24 Crypto Software If key = 1, 1 sec. to decrypt If key = 2, 2 sec. to decrypt If key = 3, 3 sec. to decrypt … 25 Expert Levels of proficiency recognized authority Advanced applied theory Intermediate practical application Novice limited experience Awareness basic knowledge 26 Jeopardy-Style CTF Attack-Defense CTF Awareness - Intermediate Advanced - Expert Basic Reverse Network Program Cryptography Forensics Knowledge engineering security Exploitation ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... • Everyone runs same software • Exploit others = gain points • Be exploited = loose points 27 CMU Goals 1 Grow cybersecurity field 2 Identify and attract most promising high school students 3 Systematize the above 28 Year 1: ~10,000 Year 2: ~12,000 Year 3: ~18,000 29 18,000 High School Students 3. Coursework + CTF 1. Run PicoCTF.com 2. Top 50 get recommendation Run next picoctf 30 Bell-curve of ability System recruits 1 Auto-didactic 2 Demonstrable ability 3 Top talent Average Exceptional 31 Two Themes 1. CTF problems are a proven, effective way to teach hacking skills 2. You can systematize CTF’s to build your pipeline 32 Next Actions • Incorporate CTF’s into your training 33 Next Actions • Incorporate CTF’s into your training • Develop system for identifying talent • Build CTF problems representative of skills you care about • Use CTF applications to recruit and/or interview 34 #RSAC THANK YOU.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    35 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us