The Ultimate Capture the Flag Game

Team Shellphish, a group of computer science graduate students at UC Santa Barbara, is one of seven teams to compete in the finals of the Cyber Grand Challenge, the first cybersecurity competition of its kind designed to advance and revolutionize the defense of automated security systems.

The competition is sponsored by the Defense Advanced Research Projects Agency (DARPA), an area of the U.S. Department of Defense responsible for the development of emerging technologies for use by the military.

The contest began more than a year ago with a total of 104 participating teams. The finalist teams, whose members hail from industry and academia, receive $750,000 to prepare for the ultimate competition — the world’s first live, all-computer Capture the Flag (CTF) tournament to be held at the renowned hacking conference Defcon in Las Vegas in August 2016. The winning team will take home the grand prize of $2 million.

“For the students on the Shellphish team, qualifying in the Cyber Grand Challenge is a great achievement,” said Giovanni Vigna, a professor of computer science at UCSB. “We are proud to share this achievement with six other amazing teams from top universities and companies whose sole focus is on vulnerability analysis.”

Born in the UCSB’s Computer Security Lab (SecLab) Team Shellphish is the longest-running hacking team in CTF competitions around the world. Shellphish members hail from UCSB’s computer science department as well as from other institutions, such as Northeastern University in Boston and Eurecom in France.

“We have a strong academic background,” said Vigna. “Our focus is on developing novel algorithms and techniques to automate vulnerability analysis, rather than just becoming proficient in hacking.”

But the Cyber Grand Challenge is no ordinary CTF hacking event. In CTF contests, experts reverse engineer software, seek out weaknesses and deeply hidden flaws and create securely patched replacements.

Contrary to an average CTF contest, however, the Cyber Grand Challenge qualifying rounds advanced only those teams that demonstrated advanced capability in automatically analyzing and securing vulnerable software. To explain complexity of the Cyber Grand Challenge, Vigna used the analogy of an autonomous robot battle in which strength in programming determines how the robots will fare in attack, defense and recovery.

“Imagine a combat zone, with robots set to destroy other robots while they self-repair, all without human intervention,” said Vigna. “The difference here is that instead of robots, there are programs. To prepare for this final battle, we have to improve our algorithms so that sophisticated flaws can be identified and patched in an efficient, automated way.”

For the final competition, the Shellphish team will need to sharpen its algorithms to catch — and then automatically patch — sophisticated flaws in network security. The final competition at Defcon will involve dozens of rounds of attacks in real time on a live network.

According to Vigna, the gamification of the Cyber Grand Challenge is a clever way to foster innovation from top academic and corporate computer scientists across the nation. “Developing systems that can autonomously identify flaws and fix them will ultimately save money and make the Internet more secure,” he said. “Finding flaws and vulnerabilities in programs has become a key component of organizations of all kinds, including nation states.”

In addition to cash prizes and bragging rights, advancing to the Cyber Grand Challenge finals gives Shellphish access to a specialized, cloud-based information technology infrastructure — a “digital arena” DARPA calls it — in which they can practice and refine their attack and defense. Each team will be allocated the equivalent of 16 terabytes of random access memory and 1,000 Xeon cores. For spectators who want to follow along with the action in real time during the finals, DARPA is developing custom data visualization technology