DEF CON 26 CTF: Powered by The Order of the Overflow!
Congratulations to Order of the Overflow!
The search for the DEF CON Capture the Flag organizers has come to a close. It was a very difficult evaluation, but we've decided who will run the contest in the years to come. First, some DC CTF history.
In the early years DEF CON ran the CTF with "The People" being the primary organizer. As CTF grew in complexity it became too much for a single person to manage and teams of skillful hackers took on the responsibility. Hackers creating the contest for other hackers, and every few years the organizers changing to bring new perspectives and ideas.
With @LegitBS passing the torch at the close of DEF CON 25 it was time to select a new team that would take it in new directions. A call for organizers went out, and teams from around the world responded with their vision of what the would build and how they would challenge the teams that qualified to play at DEF CON 26.
I, and the team of reviewers who helped score and question the submissions, looked for a unicorn: Super technical, diverse, has a strong vision, respect past CTF traditions but wants to make changes they feel passionately about. Years of CTF experience from both competing and organizing. Well respected in the community and trusted but not predictable. Considers game play and scoring dynamics to create a more spectator friendly contest to attract new interest to the CTF field. There were many competing consideration and in the end I believe we found what is our Cyber Unicorn of DEF CON 26.
I present to you The Order of the Overflow!
The Dark Tangent
In the 80s and 90s, the world changed in a fundamental way. One day, it took days to mail a letter, weeks to buy a product, and months in between being able to talk, face-to-face, with loved ones. The next day, emails crossed the globe in seconds, products could be ordered “online” in a matter of days (and now hours!), and a video-call could be had on a whim. But, as with any uncharted domain in human history, there be dragons...
We, hackers, are the dragons of the digital age. For decades after the interconnectivity of the world began, our civilization did not grasp the concept of security. In the 80s, a clever graduate student disabled the internet by using a “buffer overflow” to inject “shellcode” into a remote process—the first documented (though, certainly not the first actual) use of this technique to take over remote systems and submit them to the will of an attacker. The 90s were filled with tales of the exploits of “super-hackers” who bent the new laws of digital nature to their will, living as sort of modern Robin Hoods before inevitably ending up in jail and having to go clean. The first decade of the 21st century was marked by constant attacks by “worms,” written by hooligan hackers around the world, targeting MSSQL one week, Windows NT the next, and SMB a month later. The Internet was the wild west, and these hooligans were cowboys, living and thriving in the lawlessness.
Of course, security improves. The Windows of 2017 is far, far more secure than the Windows of 2007. Vulnerabilities with the impact of those used by the Morris worm (1988) or Slammer (2003) are priceless, and are hoarded accordingly. Nowadays, real-world hacking is mostly (though far from completely) concentrated in the hands of nation states, cyber-criminal enterprises, well-trained (and, as a departure from the old Robin Hoods, well-paid) professionals working for corporations, and a few (and far-between) “hacktivists” (and even these have been somewhat decreasing in recent years). We need to even the score.
Obviously, no one is born with an intrinsic ability to exploit software systems, and there is a gap between noob and pro. Twenty years ago, this gap was filled with script kiddies, and the route to transcend beyond that was unclear. Nowadays, the entire spectrum, including complete noobs, those trying to learn, and complete pros, is filled by CTF. CTFs exist that cater to people who don’t (yet) know buffer overflows (i.e., PicoCTF), to bright students on their way to security domination (CSAW), and to complete hacking gods, who spend their day-jobs working for secretive corporations and shadowy government organizations.
DEF CON CTF has two roles. One, it provides a venue for the true pro hackers to ply their craft and show off their skill. As such, it acts as a weather vane for the hacking community, pointing out the top hackers and the most effective techniques (tools, automation, etc.). But just as importantly, it is a spectacle. Tens of thousands of enthusiasts, noobs, and interested people come through the CTF room. DEF CON CTF is an opportunity to inform, awe, and inspire them so that they will strive to be the next generation of pro hackers and, in turn, inspire others.
We have collectively been here for a while, from wandering the halls in awe of the master hackers at DEF CON 9 to spending sleepless nights competing against them every year since DEF CON 12. Now, we hope to shepherd DEF CON CTF through the next generation of technological and societal shifts. Just as importantly, we will keep DEF CON CTF a spectacle that can be used to inspire the next generation, who, just like we used to do, will first wander the halls in awe of the players and then hack them to shreds a decade later.
The Zen of CTF
The DEF CON CTF is a premier hacking event that benefits at least three target audiences, and any organizer must be aware of them:
The participants. As the elite of the elite in the CTF hacking community, the DEF CON CTF participants deserve a CTF that is fair, is challenging, and pushes them past their intellectual limits.
The CTF community. As a group of security enthusiasts, amateurs, and professionals, the CTF community dedicates free time and energy to the pursuit of security glory and that knowledge that is obtained along the way.
The spectators. DEF CON brings together folks from all walks of security life, and some of them have never experienced the frenetic energy, joy, and tears of a CTF, and this will be their first introduction.
To properly honor the legacy of DEF CON CTF, and to lead it into the future, we will be cognizant of these different target audiences and to design not only the game, but the stage and room as well, to engage, to challenge, and to educate these diverse audiences.
DEF CON CTF
DEF CON CTF acts as a lens for the entire security community, magnifying the latest vulnerabilities, and pushing the bounds of exploitation. The latest and greatest security vulnerabilities make their way into DEF CON CTF challenges. This is an incredibly important part for the community, because reading about a vulnerability description on a blog is not the same thing as actively finding a vulnerability and developing an exploit. There is no knowledge without putting fingers to keyboard, and the DEF CON CTF is perfectly suited to forcing the CTF community to learn about the latest and greatest. This constant pressure keeps teams on their toes—forcing them to keep up with the times and stay relevant and current. There are no resting on laurels at DEF CON CTF.
Thus, a DEF CON CTF must continue to not only having challenging problems, but those challenges must be on the cutting edge of technologies, vulnerabilities, and exploitation. This is important for all: the participants, the CTF community, and the spectators.
Most importantly, DEF CON is a symbol. It is a statement that hacking is not only cool, not only competitive, not only hard, but also possible and inspiring. Despite their mythical status, these elite hackers are not gods, able to solve problem simply by glancing at them. They make it to DEF CON CTF because they put in the time, effort, blood, sweat, and tear to develop the skills and, more importantly, the knowledge necessary to hack at the highest of levels.
DEF CON CTF must be an inspiration for everyone: the participants, the CTF community, and, most importantly, the spectators. This event should unite everyone: the curious newbie, the grizzled old SOC analyst, the CISO in a suit, the undercover fed, the young students, and the crazy university professor. It is incumbent upon the DEF CON CTF organizers to hold on and maintain this shining symbol of hacker excellence.
DEF CON CTF is a part of our community: a living, evolving event. It needs to be guided, shaped, and shepherded by knowledgeable, careful, and passionate organizers.
Therefore, as the next organizers of DEF CON CTF, we hereby promise to uphold and defend the following principles. All of our events, from now to the future, whatever form they may take, will live by these principles.
Responsible Innovation. DEF CON CTF must innovate, or it will stagnate and die. However, new additions to the game cannot be added willy nilly. Unlike some CTFs that deliberately experiment with new game designs, DEF CON CTF cannot completely change the game year-to-year and experiment with zany scoring systems or game designs. While innovation must be pursued for the game to evolve, this innovation must be tempered. Therefore, we promise to propel DEF CON CTF into the future, while maintaining a stable and fun game.
Intellectually Rewarding Challenges. Creating a difficult CTF challenge is easy: simply obfuscate or place the vulnerability in a random location in the program. However, this directly contradicts the goals of a CTF: intellectually rewarding challenges—challenges where you feel accomplished when you solve them, where you had to learn and master a new skill. Our DEF CON CTF will always strive for challenges that are challenging, but in an intellectually rewarding way, not in a random/frustrating way. Never again will participants suffer through a tarball that creates a qcow file system that contains thousands of deleted files, one of which is a docx that has a comment that contains a bit.ly link to the flag. These types of challenges test brute force skills (whether conceptual or computational), and are not the types of challenges that will we have in our DEF CON CTF.
State-of-the-art Challenges. Rather than focusing on one class of vulnerabilities or exploits over and over again, we will create challenges that have vulnerabilities ripped from both the headlines and the research papers. Cutting edge crypto vulnerabilities that are just theoretical. A massive vulnerability class that topples a Fortune 500. All of these challenges, and many more, will be included in our DEF CON CTF—where theoretical attack strongs and research blurs the line into the practical and real-world.
Inclusivity. DEF CON CTF should be enjoyed by everyone. This concept of inclusion extends to the participants, the CTF community, and the spectators. All will feel welcome at our events—all will feel enchanted by the hacker excellence. Young, old, male, female, or person, everyone will be welcome at our event and everyone will feel welcome.
Transparency. DEF CON CTF must be beyond reproach. To that end, the motivation, process, and results of the competition must be as transparent as they can be without compromising the competition itself. The last organizers have started down this road with their practice of open sourcing their services, infrastructure, and scoring data, and we plan to continue this in earnest.
By following these principles, we will deliver DEF CON CTFs that satisfy the needs of the participants, the CTF community, and the spectators.
The Order of the Overflow
We are your friends, teammates, and rivals. We are hackers, just like you, moving to the other side of the table. We have played CTF for a long, long time, and we are ready to put the philosophy that we have absorbed, refined, and developed into practice. We are:
Zardus (Yan Shoshitaishvili, @Zardus). Zardus has been part of the DEF CON community since DEF CON 9 (2001) and part of the Shellphish CTF team since DEF CON 17 (2009). He has been involved in hosting 7 editions of the iCTF (two of them being DEF CON pre-qualifiers). In 2012, Zardus became the captain of the Shellphish CTF team, helping guide them through the tricky business of being the oldest and coolest CTF team in the world until passing on the captain’s banner in 2017. As part of this, he has led Shellphish through not only CTFs, but also the creation of tools and training materials to benefit the community (such as an easy-to-install distribution of many tools useful for CTF, ctf-tools, and one of the most popular modern references for heap exploitation, how2heap).
Academically, Zardus has led research into groundbreaking binary analysis techniques. In this capacity, he co-founded angr, one of the most popular (open-source) binary analysis frameworks used today. Building on angr, Zardus successfully captained Shellphish through the participation in the DARPA Cyber Grand Challenge, in which they won third place and a spot in history (but not in the Smithsonian). Now, he is a professor at Arizona State University, where he is pushing the future of CTF, hacking in general, and cybersecurity.
lzcnt (<REDACTED>,@lzcnt). lzcnt is the most enigmatic participants in the modern CTF scene. Playing with Shellphish from 2013, lzcnt has instrumented many impressive hacks and captured countless flags.
More importantly, they have hosted 5 editions of the Boston Key Party CTF, of which 4 editions were CTF pre-qualifiers. They have also understood that innovation must be carried out responsibly—while keeping BKP a consistent success, lzcnt has innovated in the form of an experimental week-long binary-only CTF, BlazeCTF. Additionally, lzcnt has significantly contributed to several editions of CSAW and several other, smaller CTFs.
In their spare time, lzcnt contributes to the enthusiast community as one of the principal developers of the radare2 binary analysis framework.
adamd (Adam Doupé, @adamdoupe). Half man, half daemon, adamd brings a fresh perspective to the organizational team by having a deep understanding of both binary analysis, web security, and inclusivity. He has played in 7 editions of the DEF CON CTF, from 2008 through 2013, and has hosted 6 editions of the iCTF from 2010. Critically, he has also studied CTF as a field, producing 4 academic publications about various aspects of the game from the view of an educator.
In 2014, adamd became a professor at Arizona State University and bootstrapped a CTF team from scratch—the ASU pwndevils. His experience as a professor at ASU has given him insight into how to best include newcomers in the security field, which will be critical to realizing our philosophical ideals.
odo (Sean Ford). odo has played in 10 editions of the DEF CON CTF, since 2008, and helped host the 2008 iCTF. He is a genius at infrastructure, having designed the world-wide, resilient infrastructure for <REDACTED>.
nullptr (Wil Robertson, @nullptr). nullptr has played DEF CON CTF every year since 2004, with a victory in 2005. He is an undisputed master of binary exploitation trickery, and has hosted CTFs as far back as 2007.
balzaroth (Davide Balzarotti, @balzarot). balzaroth has played DEF CON CTF from 2004 through 2014, and continues to play other CTFs with his students in France. He has astonishingly extensive experience, and many very strongly-held opinions, in binary reverse engineering.
reyammer (Yanick Fratantonio, @reyammer). reyammer has played DEF CON CTF from 2012 through 2017, and he has participated to countless games working on challs from crazy crypto to noob reversing. He now enjoys life being an academic in the French riviera where he "works" (LOL) as a professor. His main research focus is mobile security, mainly Android. He is also a legendary pro at recon challs. And at trolling. Just saying.
gsilvis (George Silvis). gsilvis is a cryptographic wizard. While this unfortunately made him less apt to play DEF CON CTF in the past, he has designed a staggering number of crypto challenges for a large amount of CTFs, most significantly BKP.
kaπtain (Alexandros Kapravelos, @kapravel). Kaπtain has played DEF CON CTF on and off since 2010 and continues to play other CTFs and organize local CTFs with his own student group at NCSU, called HackPack. The web wizard-turned-professor has done many elite things, on and off the CTF network, and he's ready to bring in the heat!
You can follow us individually on twitter (or ping us on IRC) with any questions, concerns, encouragement, or flames (though don't expect any privileged information!). If you want to follow the team itself, check out @OoOverflow!
Conflict of Interest Policy
Our team consists of currently-active members of the Shellphish CTF team, as well as and formerly-active Shellphish members and friends of the team. This highlights the necessity of avoiding conflicts of interest, as Shellphish intends on continuing to participate in DEF CON CTF and its pre-qualifying events without us. We will take steps to avoid such conflicts of interest.
- We will provide no preferential treatment, neither in challenge design (i.e., tailored to the particular skills of the Shellphish team), nor in the selection of pre-qualifying events to favor the Shellphish team, nor the time zone selection for pre-qualification events.
- As the organizers of DEF CON CTF, we pledge to store all data on machines completely inaccessible to the Shellphish team. We will not reuse any Shellphish infrastructure or any private code that Shellphish has access to.
- We will not share any non-public information with Shellphish or any other team.
- We will not participate with Shellphish in any event that impacts the standings of teams in DEF CON CTF, such as pre-qualifying events or pre-qualifications for pre-qualifying events.
- The core of Shellphish resides at UC Santa Barbara. To maintain a strong separation of information, the hackers at UC Santa Barbara will continue to play with Shellphish and be isolated from hosting.
We have a strong track record of avoiding conflicts of interest — members of our team have run 5 DEF CON pre-qualification events in the last 4 years, and in each of these events, we have successfully segmented the organizing team away from the Shellphish who played. We were transparent to the then-organizers (both DDTEK and LegitBS), and the CTF community as a whole, and would not have proceeded if anyone had objected to our events being pre-qualifications for the DEF CON CTF. While in those events, Shellphish took the extra step of playing under a separate name (usually, PartOfShellphish) to easily opt out of the qualifying spot if they had somehow won the event, we expect that Shellphish will continue to play as Shellphish in our qualifying event and the various pre-qualifiers, just without us.
In the interest of full transparency, we state this: most of us are affiliated with a team which will attempt to qualify for the DEF CON CTF finals that we will host, but we will not favor or provide any special assistance to that team or any other. Our goal is to create a fair and exciting game for all players, and we hope that our reputation as fair CTF organizers speaks for itself in this regard.
Good luck, and keep hacking!