Mids Rack Up Medals at Cyber Stakes
POSTED ON: Wednesday, April 23, 2014 8:00 AM by Cmdr. Michael Bilzor
A group of nine midshipmen recently took part in the inaugural DARPA-sponsored Cyber Stakes at Carnegie Mellon University, testing their hacking skills against their counterparts from the U.S. Military Academy and the U.S. Air Force Academy, and bringing home a haul of medals. The first-ever "Cyber Stakes" featured a variety of individual and team challenges over the course of three days, with a focus on the offensive side of cyber (unlike the annual Cyber Defense Exercise competition, which focuses on defense). Each service academy fielded nine competitors, in three teams of three, for 27 total cadets and midshipmen on nine teams. The Naval Academy was represented by Midshipmen 1st Class Arino, Harihara, Overfield, Geer, and Pfau; Midshipmen 2nd Class Budzitowski, Markel, and Fleming; and Midshipman 3rd Class Mason.
Cracking Crypto: Pfau, Fleming, and Markel took home the gold medal by cracking over 1300 passwords that had been scrambled with a variety of cryptographic hashing algorithms, using both existing tools and custom programs they wrote. Arino, Harihara, and Mason won the silver medal.
Breaking Bin: This team event asked competitors to examine 1000 executable programs to discover and exploit as many vulnerabilities as possible. The programs were real software used in current Linux operating systems, and vulnerability reports will be submitted for publication on behalf of the midshipmen and cadets who discovered them. Arino, Harihara, and Mason discovered 40 vulnerabilities and wrote a working exploit for one of them, earning enough points for the silver medal.
Reversing: In this event, competitors were given a series of obfuscated executable files, with no source code, and asked to analyze them to determine what program input could uncover a hidden key. Arino, Harihara, and Mason took the gold medal.
Lockpicking: This type of event is popular at hacker conferences worldwide as a physical counterpart to cyber vulnerability analysis. In an individual competition, midshipman Fleming won the gold medal for the lowest overall time in picking six different 4-pin and 5-pin deadbolt locks. Markel captured the bronze.
"The Bomb": This event was a single-elimination tournament for individual competitors. During each round, the midshipmen and cadets raced against each other and the clock. Given an executable file but no other information, their task was to send an input to exploit a vulnerability in the program. Mason solved all his challenges fastest, earning the gold medal and leaving his cadet opponents to stare at a static-filled computer screen while a mock "bomb" exploded nearby, signifying the cadet's digital defeat.
Capture the Flag: The culminating event was a full-spectrum capture-the-flag, or CTF. Each team was given an identical computer, pre-loaded with software services containing multiple vulnerabilities. Teams were challenged to discover the vulnerabilities, develop exploits to use against other teams, capture keys from opponents' machines, and develop mitigations or patches for their own services. Points were awarded for service availability and for captured keys. Arino, Harihara, and Mason ran away with the points lead to win the gold medal, while Pfau, Fleming, and Markel rallied to second place and the silver medal.
In all, USNA midshipmen took the gold medal in every Cyber Stakes event except Breaking Bin, and they managed the silver in that event. Also important though, the competition was an opportunity for the midshipmen to hone their offensive cyber skills, learn from some of the top experts in the world, and enhance their working relationships with the other service academy cyber teams.
The Naval Academy team was accompanied by Cmdr. Bilzor and Professor Aviv of Computer Science, and Lt. Kiehl of the Center for Cyber Security Studies.