UC Santa Barbara’s International Capture the Flag (iCTF) hacking competition celebrated its 20th anniversary from Dec. 2-8. UCSB’s Department of Computer Science has hosted the event since 2003 and it is one of the world’s largest educational security competitions.
The competition’s 20th year is being celebrated slightly differently. For the first time, the 2023 iCTF competition has opened a separate competition for high school students in addition to the thousands of university students participating. This expansion of the competition was furthered by UCSB’s brand new AI Institute for Agent-based Cyber Threat Intelligence and Operation (A.C.T.I.O.N.) and UCSB’s Women in Computer Science chapter.
The A.C.T.I.O.N. Institute, a research center funded by the National Science Foundation in 2023, involves experts from 11 institutions who work to change how mission-critical systems are protected from security threats. While the A.C.T.I.O.N. Institute helped to create some of the competition’s challenges, others were developed by graduate students of Giovanni Vigna—professor of computer science at UCSB, director of the A.C.T.I.O.N. Institute and founder of iCTF—as well as students from other universities involved with the A.C.T.I.O.N. Institute.
Despite being commonly labeled as a “hackathon,” Vigna encouraged calling the event a “security competition.” The competition’s goal is to compromise the security of the competition’s challenges, not just to hack.
Competition participants are set on capturing the virtual flag. Traditionally, there are three types of capture the flag competitions: jeopardy, attack-defense and mixed. In the competition’s past, the goal was for teams to attack each other, but this year, the competition was jeopardy style or challenge-based. In general, challenges involve artificially vulnerable programs where the teams must find, patch or abuse the vulnerabilities.
For a week, teams of no more than 10 people worked together to solve challenge sets. By solving a challenge, a flag is acquired. Each flag earns the team points, and the team with the most points at the end wins. The competition’s format allowed for teams of hackers to gather on campus or come together remotely.
The first type of challenge was the data challenges. Vigna explained that given a file, hackers “could perform a forensic-like operation” on it. He adds that they also might “have [had] to connect to a server and break into it, compromise the security, steal the flag, submit it and get points for it.” You’ll know you’ve acquired a flag when you see this:
In 2005, Vigna formed a team of hackers known as Shellphish. Shellphish’s “mission is to explore the science behind hacking, looking for novel approaches to break and fix real-world systems.” They have participated in more DefCon capture the flag competitions — the largest open computer security hacking game — than any other team in the world. Vigna fondly remembered working with his team in the past. “The fun thing is when you participate, you always learn a lot. You’re all in a group and you order pizza. It’s a good team building exercise.”
Learning by doing is much more interesting than just reading papers, as described by experiences with the Shellphish team. This aligns with the A.C.T.I.O.N. Institute’s goals; they want to teach younger kids about artificial intelligence and security. “What is better than the gamification of learning for high school students?” Vigna said. “No one wants to read a paper, but if you say, ‘Hey, participate in this competition and there is a scoreboard,’ that’s a lot more interesting.”
Thinking about the future of iCTF, Vigna reflected on his own competition experience and field expertise. “Vulnerabilities that were ‘cool’ in 2003 are now considered things you would teach in kindergarten, metaphorically speaking,” Vigna joked. “Things have gotten incredibly more complicated.” To grow the competition in the future, Vigna wants to create a multilevel competition, like an escape room, where you need one challenge to solve the next.
Vigna encourages those interested in the topic to to try a game to test your hacking skills: Gandalf AI.