Titulo Estágio
CTF Challenge: A platform to support CTFs for cybersecurity learning
Local do Estágio
DEI-CSLab
Enquadramento
Capture the Flag (CTF) is a style of competition whose goal is to find the “flag” and learn security concepts during the challenge. Usually, the flags are strings that should be found when the challenge is completed, and such flags are used to be submitted in a CTF platform. Through the submission, the participant or the team obtains points based on the difficulty of the challenge. This type of CTF challenge is called “Jeopardy”. However, this is not the only type of CTF challenge. In an “Attack-Defense” type, each team has a network or host with vulnerable services, and their goal is to eliminate the vulnerabilities and develop exploits. The goal of each team is to keep control of as many hosts as possible.
CTF challenges can be used as a learning technique that involves gamification. Through each challenge, cybersecurity concepts are learned and, due to the nature of the challenge, participants are motivated to finish the challenge as soon as possible. There are CTF platforms that can be used to support the CTF challenges. However, most of them were not created with the goal of supporting cybersecurity learning. Hence, the challenges usually last for many hours, which is not suitable to be performed during a regular class.
Through this research, we aim to provide a tailored platform that supports cybersecurity learning with CTF challenges. The learning objectives should be available for the ones configuring the CTF challenges. The platform should report a scoreboard for each challenge, as well as metrics about the challenges for the platform administrators. A validation with participants (students) should be performed, and the results should be presented.
Objetivo
The primary learning objectives of this research are as follows:
• Review the literature about the taxonomy of CTFs, and the types of challenges, and understand the existing CTF platforms to support the challenges.
• Prepare a platform (either developed from scratch or tailored from existing CTF platforms) to perform a CTF challenge.
• Define learning cybersecurity objectives related to the CTF challenges.
• Develop a CTF scenario and perform it with participants.
• Analyze and report the results of one or more CTF challenges performed with students.
The long-term research objective linked to this activity is to build a framework that can support the CTF challenges and present metrics related to it.
Plano de Trabalhos - Semestre 1
T1. [09/09/2024 to 15/10/2024] Literature Review.
During this initial phase, an extensive literature review will be conducted to understand the state of the art regarding the use of CTF challenges, especially the ones tailored for cybersecurity learning objectives.
T2. [16/10/2024 to 15/11/2024] CTF Platform Setup and Preliminary Evaluation
Select available CTF platforms and set them to perform CTF challenges with students.
T3. [16/11/2024 to 30/11/2024] Perform Initial CTF Challenge
Perform CTF challenges with students, and analyze the results
T4. [01/12/2024 to 10/01/2025] Write the intermediate report.
Plano de Trabalhos - Semestre 2
T5. [11/01/2025 to 28/02/2025] Adjust the CTF platform according to the results of the first challenge
Perform adjustments in the CTF platform according to the results obtained in the first challenge with the students.
T6. [01/03/2025 to 30/04/2025] Perform more CTF challenges
Perform additional CTF challenges (2 or 3) with students. Assess the participants learning after the participation of each challenge.
T7. [01/05/2025 to 30/06/2025] Report and Documentation.
The final phase will involve documenting the findings, methodologies, and results. A comprehensive report summarizing the research outcomes, including the configuration of the CTF platform, will be prepared.
Condições
- You will have a position in the CyberSecurity Lab
- Computational infrastructure will be provided to work
Observações
Recommended Bibliography:
1. L. McDaniel, E. Talvi and B. Hay, "Capture the Flag as Cyber Security Introduction," 2016 49th Hawaii International Conference on System Sciences (HICSS), Koloa, HI, USA, 2016, pp. 5479-5486, doi: 10.1109/HICSS.2016.677.
2. Mirkovic, Jelena, and Peter AH Peterson. "Class {Capture-the-Flag} Exercises." 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14). 2014.
3. Kucek, Stela, and Maria Leitner. "An empirical survey of functions and configurations of open-source capture the flag (ctf) environments." Journal of Network and Computer Applications 151 (2020): 102470.
4. Švábenský, Valdemar, et al. "Cybersecurity knowledge and skills taught in capture the flag challenges." Computers & Security 102 (2021): 102154.
5. https://ctftime.org
6. https://securitylab.github.com/ctf/
7. https://ctfd.io
8. https://github.com/facebookarchive/fbctf
9. https://picoctf.com
10. https://github.com/moloch--/RootTheBox
11. https://gchq.github.io/CyberChef/
Orientador
José Alexandre D'Abruzzo Pereira
josep@dei.uc.pt 📩