AutoCTF: Creating Diverse Pwnables via Automated Bug Injection
Abstract
Capture the Flag (CTF) is a popular computer security exercise in which teams compete one against the other to attack and/or defend programs in real time. CTFs are currently expensive to build and run: each is a bespoke affair, with challenges and vulnerabilities crafted by experts. This limits both educational value for players and what researchers can learn from them about the human activities such as vulnerability discovery and exploitation. In this work, we take steps towards making CTFs cheap and reusable by extending our LAVA bug injection system to add exploitable vulnerabilities, enabling rapid generation of new CTF challenges. New LAVA bug types, including a memory corruption and an address disclosure, form a sufficient set of primitives for program exploitation in most cases. We used these techniques to create AutoCTF, a week-long event involving teams from four universities. For evaluation, we conducted surveys and semi-structured interviews after the event to understand how AutoCTF differed from a handmade CTF, assessing not only challenge realism and difficulty but also the relative effort expended on bug finding and exploit development. Our preliminary results indicate that AutoCTF can form the basis for cost-effective and reusable CTFs, allowing them to be run often and easily to train new generations of security researchers as well as provide empirical data on human vulnerability discovery and exploit development.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 31, 2017
- Accession Number
- AD1034646
Entities
People
- Aaron W. Sedlacek
- Andrew S. Fasano
- Andrew T. Davis
- Brendan Dolan-gavitt
- Cody W. Gallagher
- Patrick A. Hulin
- Rahul Sridhar
- Timothy R. Leek
Organizations
- MIT Lincoln Laboratory