What is MIT/LL Cyber Capture the Flag?

In this version of a "Cyber" Capture The Flag competition, you will work in small teams to both defend your system and attack those of others. The target system is a set of Android applications and associated back-end web services. New functionality will be introduced during the competition via new or modified applications, so be prepared to adapt to novel situations quickly.
The basic schedule of events is as follows (for more details see “Schedule" page):

  • 10/12: CTF scrimmage.
    This event will simulate (as closely as possible) the actual CTF competition. Participation optional, but highly encouraged.
  • 10/19: CTF security bootcamp.
    Join us for a discussion of security issues in web applications, binary services and Android applications presented by security researchers from MIT, Lincoln Laboratory and Northeastern University.
  • 10/25-10/27: MIT/LL Capture-the-Flag competition.
    The main event! Award ceremony immediately after completion.
    Onsite representation required to participate.

What are the prerequisites for participation?

There are no formal prerequisites. Working knowledge of Linux will be necessary, and familiarity with Web Application bits and pieces will be very useful to have obtained by competition time, including HTML, PHP, JavaScript, Ajax, and MySQL. This year’s event will also include Android components, so understanding how to find and fix security vulnerabilities in this environment will be a plus. Much of this could be acquired along the way, through self-study.

Are teams limited in size?

Participants are highly encouraged to form teams. This CTF involves both offensive and defensive activities that would be tricky to accomplish alone. Teams must have at least 6 players and at most 8. We require at least 3 team members to be present in person during the competition to maintain team eligibility (that is, the other players can rotate to get some rest, etc, but total number of players is still limited to 8).

Can a team participate remotely?

Remote participation for the scrimmage is allowed, but onsite presence is required for the actual competition.

Will there be prizes?

We hope you will be motivated to participate in CTF because of all you will learn about how (and how not) to secure web services and Android applications. But if not, there will also be prizes!

  • 1st place: $3,000 cash prize and MIT/LL CTF flag.
  • 2nd place: $2,000 cash prize.
  • 3rd place: $1,000 cash prize.

All participants will also receive MIT/LL CTF T-shirts!

Can graduate students play?

Absolutely! If you have .edu e-mail address and a current student ID, you can play.

I'm a faculty member who will help support the team (organizing, driving, etc.) Should I also register?

No, registration is only required for players. You're welcome to provide food/coffee/moral support to your team; however, no technical assistance is permitted during the competition.

Can we attack the game infrastructure?

Generally speaking, NO.

However, there's one exception - the MIT/LL CTF AppStore is actually part of the game. This vulnerable web application will be protected by A3, which is a managed execution environment that is being developed by Raytheon BBN Technologies under the DARPA CRASH program. A3 offers a number of services to improve the resiliency of applications managed by it and should be pretty transparent, except for the following:
a) A little increase in response time (latency)
b) Occasional need to re-upload every team's app (state reset).

The added latency is due to A3's prevention focused monitoring of network inputs and monitoring of ongoing execution for undesired states. The need to re-upload is not actually a necessity, but simplifies operation if A3 restarts the AppStore. Instead of restarting from the last committed state (which may not have the latest version every team's app), the AppStore restarts with a clean state and everyone is asked to re-upload. Apart from the filtering of network input and ability to catch pre-specified undesired execution state, A3 has the ability to perform replay based experiments to isolate the inputs that led to the undesired state and adapt its preventive policies to block future occurrences of such inputs.

To learn more about A3, please take a look at http://doi.acm.org/10.1145/2090181.2090186.

Last year players could access server VMs to setup defenses a day before the competition. Is that happening again this year?

No. We've decided against providing remote access this year (it's logistically difficult), so everyone will get access to their VMs on Friday evening once the competition begins. We've extended the competition duration this year, so there should be enough time for both on-server defense setup and challenge attack and defense during the actual event.

Can multiple teams steal the same flag?

Yes. Suppose a flag is given to team A. Team B can steal it from team A. If it is successfully deposited into team B's service, then team C can subsequently steal it from team B. Both B and C get points for stealing A's flag; since it gets added to their flag total (assuming both deposits are successful), they are now scored on its integrity as well.

I have a question that's not answered here. What do I do?

Send us an e-mail at MITLLCTF-org@mit.edu.