'The Anonymous Elephants' secure second place in MITRE's 2018 Embedded Capture-the-Flag Competition

Disclaimer: Juliana Furgala is a news editor for the Tufts Daily. She was not involved in the writing or editing of this article.

A team of seven Tufts students earned second place in the 2018 collegiate Embedded Capture-the-Flag Competition (eCTF), sponsored by MITRE, a not-for-profit organization that operates federally funded research and development systems.

The team, The Anonymous Elephants, also received recognition for "Best Writeup," according to Ming Chow, the senior lecturer in computer science who co-advised the team with Associate Professor of Electrical and Computer Engineering Mark Hempstead. The seven members of the team were first-year graduate student Geoffrey Keating, junior Vladimir Porokhin, junior Spencer Perry, senior Richard Preston, senior Robert Goodfellow, junior Juliana Furgala and senior Tom Hebb.

The eCTF challenge is a competition in which students first design a secure system based on a set of challenge requirements and then analyze and attack other teams' designs, attempting to identify security vulnerabilities, Chow said.

This year's challenge was to create and implement a modern chip-and-PIN ATM system, according to a guide on the MITRE website.

The guide said the system should include firmware, software and protocols for the ATM, the ATM card and the bank server to secure transactions and prevent attacks orchestrated by other teams.

"[Teams were given access to] the ATM systems designed by other teams and try to find ways to exploit those systems to gain access to the secret information they contained — such as credit card details, PINs, and bank account information. These pieces of secret information were the 'flags' in the titular 'capture the flag'," Goodfellow said in an email.

Tufts competed against 15 different universities including MIT, Virginia Tech, Northeastern, BU, UPenn and others, according to Perry and Goodfellow. Virginia Techplaced first in the competition.

"Placing second was a combination of a good design and maximizing the exploits that we found in other teams. There was a scoring system that weighed both the design and attacks phases, and the bulk of our overall points came from successfully exploiting other teams' systems," Perry said in an email.

The first stage of the competition began on Jan. 17, according to Chow. At Tufts, the competition took the form of a semester-long course for which students earned credit, Preston said. It was offered through the electrical engineering and computer science departments as an independent study course, according to Goodfellow. The design and defense phase took place during the first half of the semester, followed by the attack phase in the second half of the semester.

Preston commented on the types of challenges that the team faced during the competition.

"This was a highly technical competition, so the biggest challenges were simply in building a working, secure system to submit at the end of the defense phase, and then identifying and exploiting vulnerabilities during the attack phase," Preston said in an email.

Porokhin gave his take on the major challenges of the competition.

"There is practically an infinite number of ways minor flaws can overlap to enable an attack, and you wouldn't know which specific ones to look for beforehand, so a lot of it came down to intuition, trial and error, and independent research," Porokhin said in an email. "Developing and anticipating attack scenarios was the main challenge of this competition."

The eCTF challenge presents students with the opportunity to learn from not only their mistakes but others' as well.

"We learned as much from other people's mistakes as we did from our own. Looking into different systems and attacking them taught us about a myriad of vulnerabilities and provided insight into how they could be avoided through good design and programming practices," Porokhin said.

Goodfellow discussed overall lessons learned from the challenge.

"When you are designing a secure system, the question 'How do I make this?' is important," Goodfellow said. "But as important as that question is in developing the initial plan, even more important is to repeatedly ask 'How would I break this?' Repeatedly asking this question and refining the design over and over until nothing breaks anymore will result in an end product as robust and secure as is possible for that team to build."

Preston echoed the idea that establishing secure systems requires thinking creatively about a system.

"The important lesson was the great difficulty, if not impossibility, of total security," Preston wrote. "One cannot design a system for security and say, 'There, now it is, and forever will be, impervious to attack.' Rather, it is an intellectual struggle to be one step ahead of those who would act with malicious intent against you or your customers. And, the most effective method of doing this is to actually pretend to be that person, and seek out ways to make your system fail, in order to prevent them in the first place. This is applicable to all of engineering."

The team members found the competition to be a rewarding albeit challenging experience. Participating students walked away from the competition with hands-on security experience that they would not otherwise gain in a typical security course.

According to Chow, the reason MITRE holds this embedded system security competition is because very few students graduate with skills in combating security challenges.

"Embedded systems present different security challenges than those covered in typical cyber and network security courses and competitions, and MITRE wants help develop the next generation of embedded security experts so that they can secure the always-connected hardware of the future," Chow said, attributing these words to MITRE.