What is Capture The Flag?

Capture the Flag is a family of competitive games involving opposing teams trying to steal something of value from each other. In computer security, the flag is typically a piece of secret data, and the territory from which it is captured is a computer system controlled by the opponent. There are two popular formats for computer security Capture the Flag (CTF) games: Jeopardy-style and attack/defense.

Jeopardy-style CTF games have the organizers running a set of challenges that each team has to solve for points. This format is popular because of the relatively simple logistics, especially for online games. Challenges are generally independent from each other and ideally idempotent between connecting players, which leads to reliability and stability for large contests. Scoring is nice and simple too: add up the points for solved challenges, and use timing of solutions to break ties. The DEF CON Qualifier has traditionally been a Jeopardy-style game: the engineering and operations work that goes into a game for over a thousand teams isn’t easy by any means, but it’s not difficult either.

Attack-defense CTF games are more similar to CTF in other contexts: the opposing teams themselves control their flags’ defenses, and the organizers merely create and referee a fair playing field. Attack-defense CTFs generally have each team defending one or more vulnerable services, with the ability to attack other teams’ identical services over a network. This game typically requires more work to engineer and operate because the way teams interact with the underlying game systems and each other is much more complex and open to finding weaknesses with the rules of the game itself.

For instance, by destroying a system’s availability to process benign requests (i.e. taking it offline) you can completely rule out processing malicious requests that would compromise confidentiality or integrity. Organizers have to build, run, and score availability checks to require defenders to run potentially-attackable services, otherwise attackers won’t ever have the opportunity to attack a vulnerable service.

Modern computing environments have much more powerful defenses available: defenders can and have used virtualization to protect flags in memory, system call blacklisting to protect flags on disk, and other so-called “superman defenses.” Ruling these out to force defenders into a narrowly-defined set of “acceptable defenses” takes considerable organizer effort.

DEF CON Finals is traditionally an attack-defense game. The antagonistic nature of the game becomes a complex test of time management, creativity, and the skills involved with computer hacking that isn’t available in any other legal venue.

There are other kinds of CTF that can be run: some of us have played a game that could best be described as "king of the hill," and the DARPA Cyber Grand Challenge uses a format called "consensus evaluation." The latter will be discussed more here soon, as there are implications for the future of DEF CON CTF there too.