Students combine hardware and attacking skills at cybersecurity competition

RIT places third in semester-long embedded capture-the-flag competition hosted by MITRE

Thomas Cenova, a computer engineering major, Brandon Adler, a computing security major, and Eric Scheler, a computer engineering major, went to Boston to represent an RIT team of computing students who placed third in the MITRE Collegiate eCTF (embedded capture-the-flag). For the competition, students from RIT’s Golisano College of Computing and Information Science and RIT’s Kate Gleason College of Engineering collaborated to learn about hardware and software security.

A team of RIT students from different computing disciplines came together last semester to place third in the 2019 MITRE Collegiate eCTF (embedded capture-the-flag) cybersecurity competition.

In this new style of CTF cybersecurity competition, students were tasked to understand both the hardware and software sides of an attack-and-defend exercise. The eCTF competition also lasted two-and-a-half months, while many cybersecurity competitions take place over a day or two.

The computing security, computer science and computer engineering students from RIT were challenged to design and implement a secure system based on a set of requirements. Students then analyzed and attacked the other team’s designs, gaining points by capturing and defending flags.

Northeastern University placed first in the competition, while Carnegie Mellon University placed second. University of Massachusetts Amherst tied with RIT for third place.

“This was our first year at this competition and we did really well for a team without any experience,” said Ziming Zhao, assistant professor of computing security and co-coach of the team. “To become a cybersecurity expert, you need to understand all the layers of a computer system—from hardware engineering to the software—and this special event was a great place for our students to learn that.”

MITRE, which operates federally funded research and development centers, has run the competition for the last four years. The event opens the scope of the cybersecurity challenge to include physical/proximal access attacks, because the main target is a real physical embedded device—which are common in Internet-of-Things devices.

In this year’s challenge, teams designed a secure video game console on the Digilent Arty Z7 development board. The system designed by students attempted to protect the intellectual property of game designers and prevent users from loading their own software. Designers had to make sure that only verified users could install and play games that they had purchased.

“I enjoyed this competition as it gave us the freedom to explore areas of hardware development not found in any of our classes,” said Thomas Cenova, a fifth-year computer engineering BS/MS from Johnson City, N.Y. “It really pushed us to the limits to learn everything about the hardware platform we used. “

RIT’s team would meet each week to develop the system and figure out what security goals they needed achieve. The platform used system on a chip (SoC), consisting of two central processing unit (CPU) cores and a field-programmable gate array (FPGA), which the team said opens a whole host of potential security issues.

“It was great having students from different majors working together and I think the best part was sharing our knowledge with each other,” said Cenova. “I definitely learned a lot more about security from them, and I hope they were able to learn more about low level hardware development from us.”

In phase two, students spent more than a month picking apart the systems created by the other 11 teams in the competition. RIT’s team tried different attack methods, raided and disabled source code and wrote exploits. The students also had to document and a produce a write-up of advanced attacks.

“RIT’s team gained a lot of its points by developing attack methods to capture specific flags and by doing it quickly,” said Ziming. “As security practitioners, we need to get our hands dirty and put our theories to the test in order to learn new things.”

A few members of the team attended the award ceremony in April, on MITRE’s campus in Boston.

RIT team members included; Cenova; Brandon Adler, a fourth-year BS/MS computing security student from Pittsford, N.Y.; Eric Scheler, a fifth-year BS/MS computer engineering student from Breinigsville, Pa.; Max Proskauer ’19, a computer engineering student from West Newton, Mass.; Langston Menezes, a computing security student from United Arab Emirates; Stuart Nevans Locke, a second-year computer science student from Bethesda, Md.; Alden Davidson ’19, a computer engineering student from Plymouth, Mass.; Jason Blocklove, a fifth-year BS/MS computer engineering student from Lansdale, Pa.; Prateek Talukdar, a computer engineering master’s student from India; and Jonathan Nissan, a third-year computing security student from Roslyn Heights, N.Y. The team was coached by Zhao and Marcin Lukowiak, associate professor of computer engineering.

To learn more about the MITRE eCTF (embedded capture-the-flag) competition, go to mitrecyberacademy.org/competitions/embedded.

To address the critical workforce needs in cybersecurity and help solve cybersecurity problems, RIT has announced the creation of a Global Cybersecurity Institute. The new three-story facility will allow RIT to address the global cybersecurity crisis by conducting groundbreaking research, education and professional training and development. It is expected to open in fall 2020, with a new executive director, and will be the first facility of its kind in upstate New York.