Budding Embedded Security Engineers Display Unflagging CreativityDecember 2018
Ryan Burrow, a graduate embedded security intern at MITRE, helped run this summer’s eCTF competition.
You know it's a cool internship when you get to design a video game console—and attack one, too. That was the charge for 15 summer interns who took part in MITRE’s 2018 Embedded Capture the Flag (eCTF) competition.
For the uninitiated, an embedded system has a specific function within a larger system. They're ubiquitous—in washing machines, cars, medical devices, and more. Finding the vulnerabilities in these systems is critical to safeguarding everything, from personal data to banking systems to electric grids. That's why MITRE's cybersecurity experts created the eCTF in 2015—to grow the pipeline of embedded system security engineers and improve embedded security education. Cultivating cybersecurity talent is just one component of MITRE's mission to make the world safer.
Now in its fourth year, the MITRE eCTF gives students experience designing and protecting embedded systems—and hopefully inspires them to go into the quickly growing field. The collegiate eCTF takes place each spring; the summer competition is for our interns.
Design, Attack, Defend, Learn
"The challenge this summer was to design and then attack a Linux-based video game console," says Ryan Burrow, graduate embedded security intern. Burrow was on the Virginia Tech team that won the spring eCTF and helped design the rules, requirements, and validation processes for the summer competition.
Interns implemented their designs on a system on a chip, which integrates all components of a computer. "It has both an FPGA [field-programmable gate array] and dual core ARM processor, which allows teams to design both hardware and software," he adds.
The interns formed three teams, with names such as "wii secure" and "The Missing Xilinx." Each participant had eight hours per week (out of their regularly scheduled internship commitments), over nine weeks, to dedicate to the design and attack phases of the competition. Every team was paired with a MITRE mentor.
An external team from Riverside Research joined the competition for the first time. The nonprofit dedicated some of their senior experts in embedded security to help run the competition, and two of their own interns participated.
When the User and the Attacker Are the Same
Lou Fogel, the MITRE embedded security engineer who led the summer eCTF, explains that when you think like a cyber attacker, you become a better defender.
"In this summer's eCTF scenario, the video game user and the attacker could be one and the same," he says. "The company wants to prevent people from pirating their software or hacking the system. They need to figure out the risks."
Each eCTF team presented its design and the attack methods used to get at PINs and capture flags, which are secret strings of information within a system.
Teams modified the system’s code to increase security and prevent common vulnerabilities such as buffer overflows, a common IT term to signify when a temporary data holding area floods, overwriting existing data. Some teams used "fault canaries," which detect a fault injection attack—like introducing power dips called brownouts or manipulating the computer clock on a processor running secure code. Others used cryptography to protect shared secrets, secure data known only to the parties involved.
Participants also shared the challenges of working within time and resource constraints. One participant said that when he went back to his regular internship work, he'd get "unstuck" about something eCTF-related.
First place overall went to the team TBD (really, that was their official name)—"Awarded for most points overall, combined from capturing and defending flags."
The Iron Flag Award went to team wii secure—"Awarded for submitting the system that defended its flags for the longest time during the attack phase."
Growing the Best Talent for Embedded Security
Fogel is candid about explaining the overall value of the competition to up-and-coming cyber scholars, as well as the collegiate eCTF in the spring.
"Why do we run the eCTF, and why enter it? It's not because our sponsors asked us to design a secure video game console. Or that your managers didn't think you had enough work to do," he says.
"It's because we need the best talent working on embedded security issues. This gets you excited about the field and hopefully becom[ing] cybersecurity evangelists. Demand classes if they're not offered. Start embedded security clubs on campus.
"And then come work for MITRE."
—by Karina Wright
Learn more at MITRE Focal Point: Cybersecurity.