CAPTURE THE FLAG

The First NSF Grand Challenge in Computer Security: Unhackable Servers

Sponsored by BAE Systems

What: A security challenge
When: July 30–August 1, 2008
Where: USENIX Security '08, The Fairmont San Jose, San Jose, CA
How much: $10,000 US prize in cash for the winner; cash prizes for 2nd and 3rd places; plus participation prizes

As we rely on computers for a number of critical task in our everyday lives, their ability to resist and sustain attacks from malicious hackers becomes more important. For this reason, the first of a series of Grand Challenges organized by the National Science Foundation (NSF) will be focused on building unhackable servers. The participant teams will have to use their science and technical skills to create an environment where a server can function with integrity and minimum required service levels even when under attack. Complete details are available below.

The competition is sponsored by BAE Systems, who is providing the cash for the prizes. The winning team will get $10,000 US. The second-placed team will get $2,000 US. The third-placed team will get $1,000 US. The NSF is planning to partially support the students' participation in the competition and USENIX Security '08. This means that if you are a student and you want to participate, it is likely that some travel/participation expenses will be covered by the organizers. Please check back here for details.

This is an exciting opportunity to do something new, earn a few bucks, and prove that you are the best at what you do!

To participate, send email to the organizers, Anup Ghosh, Giovanni Vigna, and Nicholas Weaver, at sec08ctf@usenix.org.

Competition Details

The concept is very simple. On the day of the competition, each participant team will receive a virtualized server, with a number of services. The services might be implemented in different languages (e.g., C, Java, or Python) and may be Web-based or stand-alone. However, each service will have a number of hidden security flaws, which have been implanted by the organizers. These flaws might be used by an attacker to disrupt the service. The services are part of a mission-critical system (e.g., a life-support system) and need to be always functioning correctly or some catastrophic event will happen.

The task of the participants is to modify and improve their servers so that they become resilient to attacks. The teams will be able to operate on their servers for a limited amount of time, after which the only possible interaction with the server will be a reboot operation (that is, this is a "hands-off" competition).

During the competition, an automated scoring system will keep track of what services are functional. At the same time, an automated attack system will perform disruptive attacks against the services. At the end of the game, the team whose server was able to provide the highest service level (and also above a minimal threshold) will win the first prize.