#54 – Why Capture the Flag is More Than Just A Game in Cybersecurity

CSI ACADEMIA – DRAFT 4 Transcript

SUMMARY KEYWORDS

vulnerabilities, hardware, teams, security, competitions, intel, designs, attacks, people, problems, bugs, devices, exploit, processors, flag, waldo, research, run, industry, find

SPEAKERS

ANNOUNCER, JV Rajendran, Camille Morhardt, Ahmad Sadeghi

 

ANNOUNCER  00:03

You’re watching Cybersecurity Inside, a videocast where you can discover what you need to know about cybersecurity. 

 

Camille Morhardt  00:11

Hi, I’m Camille Morhardt, and welcome to this episode of Cyber Security Inside. Today I’m going to speak with two professors who just won Intel security’s academic leadership award. I have with me Ahmad Reza Sadeghi, who is professor at TU Darmstadt in Germany. He’s actually joining us from Germany.

 

Ahmad Sadeghi  00:32

Th ank you. Hi. And thank you for having me.

 

Camille Morhardt  00:35

And I also have Professor JV Rajendran, you are assistant professor at Texas A&M. So you are dialing in from Texas, correct?

 

JV Rajendran  00:43

Yes, Camille. Thanks for having me here.

 

Camille Morhardt  00:46

We are going to talk about Capture the Flag what that means, especially when it comes to hardware security. Both professors are steeped in hardware security, knowledge and research. And we’re also going to get into a little bit about what they do in their labs. So welcome to this episode, happy to have them here with me, I’d like to kick it off in the spirit of what that means by asking the professor’s to define what is capture the flag in the digital realm. Please define it for us briefly,

 

JV Rajendran  01:16

Just like the physical world where you will be running around, picking up as many flags as possible. And trying to outscore the opponents or other competitors, is the same thing in the digital world. Except here, you’re dealing with a technical problem or a technical problem and you solve it, you get the digital flag, which you will report to the judges and you claim your points. And they in our hardware event. The technical problem is finding a bug are trying to come up with an exploit slash attack the platform that leverages this bug to do meaningful attack.

 

Camille Morhardt  01:53

Basically, you insert vulnerabilities known to you into the hardware, or you replicate vulnerabilities on purpose into the hardware, and then you set people loose, and they get to go look for it and look for either a hole, or some kind of a potential exploit that somebody could capitalize on later. And those essentially are the flags when they find those issues.

 

Ahmad Sadeghi  02:15

In this case, we are inspired by real world attacks in the past. That’s, for example, some people, some researchers in industry, academia, and they found out certain vulnerabilities in your computer’s CPU, for example, or in SOC, in general in your hardware. And then they exploit they just misuse that vulnerability to get control over your platform, your computing platform to get to do harm to your system, whatever or maybe to steal your secrets.

 

Camille Morhardt  02:49

So these are very complex designs, we’re talking about SOC designs. So I’m wondering, if you don’t have a capture the flag event? How are you training people to look for these kinds of things.

 

JV Rajendran  03:03

And I’ve been in the hardware security field in the last 10 years. And one of the things that we kept hearing about is hardware security bugs. And when I became an assistant professor, I wanted to have another research topic that to focus on is supply chain security. But I when I was looking for, hey, Are there examples of hardware security bugs, so that I can research upon what techniques I can develop as well as train students, there were not many publicly available hardware, security bugs, they were all high level descriptions. But there is nothing like, hey, here is hardware design. Now you see this lines of code, you see this mistake is happening. And this is what a hardware security bugs looks like. So we were looking for real world examples of these hardware vulnerabilities, especially on the Verilog and VHDL. of codes. But we were not able to find Yes, there were high level descriptions. But what does it actually look like in hardware? We never had the answer. So that’s when I remember 2017 Design Automation conference, when I was chatting with Ahmed, Jason Fong from Intel, he came to us and said like, hey, I want to have a discussion with you. He was pitching this idea of running the Capture the Flag competitions, where he provides buggy Verilog code, and asked students to find the bugs in the code and start exploiting them. And this was immediately great for me because oh, I was looking for buggy Verilog code and this guy from Intel comes and says he can provide that. And that’s great, not just for training students, but also for my research. So that’s how I got attracted to this line of work.

 

Camille Morhardt  04:41

So does the industry actually provide vulnerabilities that are real that they’re already aware of in their products to kind of test people and or things that they’ve been made aware of inthe past?

 

Ahmad Sadeghi  04:53

There are different classes. One of them is the class of those vulnerabilities that were discovered during the disease. Have hardware, so that the industry knows about that. And some of them, they could theoretically review. And then there are vulnerabilities that other people found after the fabrication of the hardware. This is the second class or within the third class is those vulnerabilities that can be found by analysis. So that means we find the source of vulnerabilities we tried out and we see Oh, that can indeed happen in real world as well. And then we inject those vulnerabilities into an open source hardware that different teams can compete to find those vulnerabilities. And of course, they also have the job to exploit it. So we started, as JB said, in 2017, with this small idea. And then the teams were put together Intel team was helping a lot, Jason Fox team, and also teams of JV and my team, we got together and put a program that started to grow and grow, because it was at that time 2018, the first hacking contest of joint industry, academia airport. And that became a kind of franchise because people saw it, it became very popular. And they asked us, oh, would you be able to run it on this top tier conference in security as well. So I knew and these teams are competing over several months, in two different or three different phases. And the ones who are successful in phase one, they come to phase two. And then at the end day, the last competition day, among the best teams the best, let’s say, up to sometimes up to 10 teams will be live. During the conference, then on Monday, we know who got the flak, which team has found that the most one abilities are the most important one is because some of the wannabes have a lower score, some of the Obamas have a higher score. And this is the principle of how it works.

 

Camille Morhardt  07:08

What kind of tools or resources do the teams have available to them? Are they using servers or some kind of scanners? And how are they getting access to these tests?

 

JV Rajendran  07:17

So initially, we provided the very broad VHDL code base of the entire SOC design. These designs are done in such a way so that you can simulate them using many electronic design automation tools, you can synthesize them, and then you can even upload them onto an FPGA. But just for the first time, time I’d use NEC security, what we did is we also gave them instances are AWS cloud, with these designs in place, so that they can actually analyze these buggy designs exploit the bugs on the AWS cloud.

 

Ahmad Sadeghi  07:53

Which makes it much I would say much cooler, because now you have a cloud where teams are connected and then compete on the cloud with each other. And you can inject anything that you want into the cloud. So you don’t have to send it to different teams. And we can very enhanced.

 

JV Rajendran  08:12

because usually these files are like 10 gigabytes, and especially when you want to run the competition over online for 48 hours, trust me with poor internet connections across the globe, the competition may be over before the design gets out. 

 

Ahmad Sadeghi  08:27

What is very interesting is and I always make that as a standard example is that the teams who are participating they are either from academia or industrial teams, or they are a combination of both these teams use the most unconventional methods to approach the problem is it’s like find Waldo, you just give it a complex system and say find Waldo. And finding Waldo is not always very easy if you need technical background, and some of them don’t have it. But they gain it through the length of this competition. And that’s a problem. When it comes to pandemic. You may say people are in computer science and in electrical engineering, I’m very fine to isolation because they are kind of doing technical stuff. They don’t care about the pandemic or not. But indeed, there is a kind of pressure during the pandemic, everything is at home. Davies team and my team had to really do some kind of therapy as well, because we needed to motivate these guys because they found some errors and they need to continue. So you need to motivate them. That was an interesting eye opening aspect of the competition during the pandemic because it’s not only one day, it’s several months, and that makes it more difficult. Still, many teams participated. And sometimes they find even errors and vulnerabilities that we didn’t inject into the secretary or code that we send them. That’s also the most important part of it. New vulnerabilities that teams find out They also surprise the Intel engineers.

 

Camille Morhardt  10:03

Okay, so I was just gonna ask that. Do you, are you guys ever like, wow, they found Fred instead of Waldo? we weren’t expecting that.

 

Ahmad Sadeghi  10:11

That’s the beauty of human mind, you can run a lot of artificial intelligence. But nobody has this past flashy idea that comes to human brain. And then they follow that path. And it comes to Fred instead of wonder. And sometimes Fred is much, much, much bigger than Waldo. So it’s…

 

JV Rajendran  10:33

 And through these events, we were able to find native what we call native bugs, that the bugs that we did not inject. But the bugs that were actually originally present in the actual design, were found by our participants, and some of the most interesting bugs, they were able to find within this 48 hour time period of getting the design. As responsible disclosure, we let the developers know and they were able to fix it. 

 

Ahmad Sadeghi  10:58

So I think this is the advantage you were talking about what is the advantage for industry and also for academia, academia get get more insights through working with industry, they understand many practical problems that exists in industry, and they may not know about it, because most of these things are secrets, trade secrets. And from industry point of view, they see really, kind of beautiful minds of people and how they find problems that may cost millions of billions of dollars, when you produce hardware, because without hardware, we will not have any IT system. For years, the forecolor believe that hardware is trusted, and only software can be buggy. But now we know that hardware is under attack. And if hardware is compromised, many systems will be compromised systems that are safety critical systems that are critical in any different sense when they are deployed in the critical infrastructure. So these kinds of competitions are important as one aspect of many other aspects that you need for hardware security.

 

Camille Morhardt  12:05

So do you set up these competitions or structure the vulnerabilities differently depending on what like market segment that you’re doing the training? So for example, would you set it up differently if you were leading a capture the flag for critical infrastructure, say, versus farming or banking or medicine? Or is it all the same? Because it doesn’t matter? Because you’re taking general purpose compute that you’re then applying in multiple different markets?

 

JV Rajendran  12:33

In general, no, because it is the special purpose hardware, it is a general purpose hardware. And that’s the most interesting part of it. Many systems have this SOC, for example, Intel processors, or ARM processors or any other processors, these attacks concern, all of this hype. And the most important aspect of these attacks is that we call them cross layer attacks. Because these are attacks that are launched from a malicious software. by exploiting a hardware vulnerability. It is not an attack that you use hardware device to touch a device, you can do it remotely if you know about the hard the vulnerability, and that is danger and the crucial area, the severity of this kind of what we are trying to find or let them find by others and see how they approach what tools they use, what kind of processes they have when they think about how to find these attacks. And these putting together is a big insight for both community. So there are certain bugs that are more severe. That can be, as I said, remotely exploited even by an attacker who doesn’t have the right privileges. Those kinds of attacks are far more serious. And our judges tend to value those attacks a lot more compared to exploiting a bug that just costs a simple denial of service. So for example, your computer doesn’t work anymore. But a simple denial of service in a autonomous car driving or in a robotic company, or in an assembly line, or anything else can have fatal consequences from safety point of view. If you can turn off all the processors at the same time, this is something that is so connected to the supply chain attacks, because if you have a supply chain where you buy software from somewhere and put it in a robot in another company, and we know that that robot runs on a specific processor, and the Wonder ability is known to hackers, they just need to access them software that is just over the supply chain is fed into the robot. And then you have the problem because 1000s or 100 1000s of these robots in car industry or somewhere else are using this malicious software that is exploiting the government. So these are also to say the consequences that can come into Future, the more we have automation systems, the more things can be done stealthy that we don’t really see it that everything is getting automatic. And in that sense, we need to think about these aspects now as a researcher, because we don’t want to always do a talk reaction to any kind of severe attacks.

 

Camille Morhardt  15:21

Okay, so you don’t necessarily do segments specific testing. But obviously, the implications of finding a vulnerability or really the implications if somebody were to, you know, not find it and one of the capture the flags, and then it would be exploited or not learned from it, and then design it so that there isn’t an exploit could be very, very specific, with consequences ranging from Functional Safety, to personal health, to finances, anything really, it just depends where that, quote unquote general purpose hardware is actually deployed later.

 

Ahmad Sadeghi  15:56

This is why we put it in an open source platform, because certainly, we cannot put it in commercial platform because companies would not provide that. But this open source platform, on the other hand, is a good vehicle. That is also from the philosophy of open source hardware, we see that this is getting more popular. And exactly these things, like even finding bugs by injecting into the SOC and provided to a competing teams. It shows how important it is that we have an instrument or vehicle, like open source hardware that we can run all these problems that also concern other CPUs from all other companies. It’s not only Intel, it is arm it is AMD, it is everyone. And that makes it also more interesting for many segments, because these vulnerabilities are not specific to a certain processor.

 

JV Rajendran  16:50

 And also the type of bugs that we implant into the competition’s, they are all inspired by this common weakness, enumeration listings, if you see the type of books that we implant, they are all kind of donated by different companies from different market segments by implanting those type of works, we kind of reflect the problems faced not just by semiconductor industry, but also other industries that get to use these chips.

 

Camille Morhardt  17:16

Okay, so this is essentially an international log, I believe it’s actually housed mitre in the United States, but it’s used globally. And it actually enumerates describes the vulnerabilities and makes them transparent and multiple people different enter make entries into this so that everybody can become aware of hardware vulnerabilities that exist, and so not replicate them.

 

JV Rajendran  17:40

Absolutely, that has been a big influence, even for our research, because now we know like, hey, these are the bugs are the problems that the companies care about. So let’s use those things to actually kind of reflect the real world scenario.

 

Camille Morhardt  17:53

So JV, I want to give people just a flavor of what some of the research that you’re working on now is. So can you help us understand what you’re looking at?

 

JV Rajendran  18:03

So first, let me explain the supply chain security because that’s where I got my PhD. So especially with us most of the semiconductor designs, they happen in us but not necessarily the manufacturing. Of course, this doesn’t apply to me tell the chips that are manufactured in us are being used in many critical infrastructure ranging from smart grid to aircrafts to your missile defense systems. But how do I trust the chip that is not manufactured under my control or not even designed under my control, and that I can be a verity of attacks ranging from people inserting malicious circuits directly into the hardware called hardware, Trojans, or people reverse engineering and stealing the designs. Our lab aims to develop techniques to protect the designs against these kind of attacks. Actually, I have a running DARPA project with Intel labs called Sahara, which aims to leverage Intel’s latest EA sic technology to prevent reverse engineering attacks or stealing attacks in this unsecured supply chain. That is one flavor of research that we do. The second flavor of research that we do is coming up with techniques to detect vulnerabilities slash bugs in hardware designs. So that is the line of work that we work with, again, with Intel through this hack, and even that of competitions. And we are also hopefully, if things work out, we are also trying to get a project with Intel and get things going along those slides.

 

Camille Morhardt  19:32

Good pick. This is really top of the news right now. And yeah, it’s not fair because you don’t really get credit for for what you pick probably when you pick it if you’re choosing very well. It actually isn’t top of the news, but now you’ve been working on it. And everybody’s talking about this right now.

 

JV Rajendran  19:48

Well, I’m not sure about that, because I think it works vice versa. And I get to talk with senior people like half a mile and say like, Hey, this is the problem that I want to work on. What do you think about it and get their advice. And suddenly that becomes the news are I just follow the news articles and then try to publish with problems? I think it works both ways.

 

Camille Morhardt  20:07

So you’re reverse engineering it. 

 

JV Rajendran  20:10

Yes. You could say that.

 

Camille Morhardt  20:12

 So Emad, can you give us a sense of what you’re doing research on in your lab, you are head of system security lab, again TU Darmstadt.

 

JV Rajendran  20:20

In my lab, I have three groups or three subgroups. One subgroup considers security analysis of Internet of Things devices, many devices now can be included into the Internet, and they have internet connectivity. Most of these devices have security problems, and we analyze them. So their job is in a specialized group, their job is to principally hack into any system that they get. This is also a work that concerns a number of companies because we do it this responsible disclosure to those companies, it generates a number of other interesting problems.

 

Camille Morhardt  20:56

Where you can I ask you a question about that is your team mostly focused on looking at what I would refer to as legacy or Brownfield devices that were deployed possibly many years ago and are now becoming connected? Or are you guys looking at new devices, maybe even more specifically, consumer oriented devices that are coming out of the gate already with the intention of being connected?

 

JV Rajendran  21:20

 We do a kind of market research. If this device exceeds a certain popularity, that means more people are using it, we buy this device, and we hack into it. Or we extend this device with our ideas and make in such a way that this device, for example, connects to other devices. In fact, other devices are concentrated on devices that are really each new devices coming to the as an IoT device to the market, from IP camera to a tracking device to fitness tracker, all of these things, as soon as that they exceed a certain popularity, if only five people are using it, it’s not interesting. And then we do a security analysis for but this means also, we sometimes need to do security analysis for processors. That could be for small devices. But then if you have an interesting question, then we can also look into the processors that are in the PCs or in servers or whatever. So that means it amplifies that there is a starts with I O T and goes to this direction and the other direction. 

 

Camille Morhardt  22:20

Okay, so you’re looking at two aspects you’re looking at first, is it hackable itself, where it could be used actually to remove information from other devices that it’s connected to in your environment?

 

Ahmad Sadeghi  22:31

we can use voice assistance, for example, with a malicious skill, which is a kind of app for voice assistance, and connect it to another device and do amazing things with it that not all of them can be published. But those that we can talk about, we can of course, demonstrate and how you can do this, the fitness tracker, all your data, because people compete when they have these fitness trackers. And to see who is consuming more calorie who does this was better heart rate. And these things are privacy sensitive. And we could even change all these things on the server of a very famous fitness tracker. These are the things that we do another team, it looks only to software, software security. And there is a last thing, which is called the system security team. They look really into the security features of hardware hardware with security features, and they use it to build secure systems, or even find problems in those systems that are either deployed or they are only research proposals. So these are the different areas that my team is Yeah, I have a bigger team. So they’re looking into this problem.

 

Camille Morhardt  23:41

All right. Well, this has been really interesting. I have to be honest with you, I didn’t know much about Capture the Flag other than a game I played as a child actually outside until this conversation. So really interesting to learn about it as well as both of your research. And I did just get advice yesterday to say the last name of my guests because by the time we get to the end of the interview, people are really intrigued and want to look up more. So I will say thank you so much, JV Rajendran, and again, Texas a&m, and thank you so much, Ahmad Sadeghi, from TU, Darmstadt, all the way over in Germany. Like No, not any different from the other room here. And we’re going virtual. So really nice to talk with you both. And again, congratulations on receiving the Intel security academic leadership award.

 

JV Rajendran  24:31

Thank you. And thanks a lot for your invitation to this podcast. I would like to add to our internal collaborators with whom our teams work closely our own kind of party and Harish Khatri, because those are the engineers that work closely in organizing these hacker even competitions and most of them tend to be also the judges of these competitions. And also I would like to thank my students raffle, Josh Chen, how much students who your students got as well as Saturday. who have been helping us with packet even competitions throughout the years our sponsors NSF and arrow and Qualcomm funding as different instances of these competitions. I would also like to thank a number of people in Intel but Jason Fung and Andre john Sridhar Iyengar. These are people who are tirelessly working with academia to discuss them before their vision, to create a better world with smart people getting together and solve real world problems. For that, I would like to thank Intel for being a good partner for in the last 10 years that I’m working with them.

 

Camille Morhardt  25:38

Okay, I will pass it along. And actually, it’s funny you mentioned Jason because I did recently interviewed Jason Fung and I think we’re gonna come out with an episode soon. That’s titled offensive security research, aka hacking. So that should be an interesting topic.

 

ANNOUNCER  25:54

 Thanks for joining us for Cyber Security Inside. You can follow us here on YouTube or wherever you get your audio podcasts. The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.