Cyber Grand Challenge uses different words for many common things in Capture the Flag.
- CGC Finals Event, or “CFE”
- The final CGC competition, scheduled for August 4, 2016. Similar to an attack-defense CTF, competitors try and discover flaws in software, patch them, and exploit these flaws. "It's pretty cool that you don't need a DEF CON ticket to watch CFE."
- CGC Qualifying Event, or “CQE”
- The first phase of CGC, held June 3, 2015, narrowed the field of twenty-eight CGC competitors to seven finalists. Most analogous to a Jeopardy-style CTF, in that teams only saw organizer-controlled binaries. "I liked reading all the tweets during CQE."
- Challenge Binary, or “CB”
A single binary distributed as part of a challenge set. Challenge binaries use the CGC Executable Format (CGCEF), and as such have a limited set of system calls available to them. A challenge binary in a cset with only one CB would be named “
LEGIT_12345”. If there are multiple CBs in a cset, they get names like “
LEGIT_12345_1” or “
- Challenge Set, or “cset”
One or more challenge binaries that get distributed to competitors, a set of pollers that may or may not be distributed during the competition, and a proof-of-vulnerability from the author that is not distributed during the competition. Think a “service” in an attack-defense game or a “challenge” in Jeopardy. Challenge sets have names like “
- Consensus evaluation
- A new format for CTF, distinct from attack-defense and Jeopardy-style. This is the CTF format CFE and DEF CON CTF 2016 will use. Competitors retrieve challenge sets, produce replacement challenge binaries, IDS rules, and PoVs, and then submit them to the scoring system. RCBs and IDS rules are evaluated for performance metrics, and PoVs are launched against opposing teams. The big change is that RCBs and IDS rules are shared with every other team. More on this in a later post.
- Cyber Reasoning
- The set of algorithms and techniques a competitor uses to reverse engineer, prove vulnerability in, and replace a challenge binary. In other words, the skills a hacker uses to figure out, exploit, and patch a binary.
- Cyber Reasoning System, or “CRS”
- A computer program that figures out, exploits, and patches binaries. "Did you hear that Trail of Bits's CRS made the lights dim in the AWS DC when they turned it on?"
- A programmable firewall that lives between challenge sets and the scoring system. Similar to challenge binaries, competitors can submit their own using a simple rule format. "I'm not sure you're parsing out the comments in this IDS correctly."
- Magic Page
CFE CBs have a magic page of random data mapped when they start. This data is available for CB authors to use as entropy for unpredictable operation, and for PoV authors to steal. Polls negotiate with the CB launching system to get the magic page they need, while PoVs have to deal with not knowing the magic page (until they steal some of it, of course). In CFE binaries, the magic page lives at
0x4347C000and is 4096 bytes long.
- Similar to availability checks or SLA checks in attack-defense games, CGC polls interact with a challenge set to demonstrate and enumerate behavior that must not be patched out. In CQE, polls are XML files that can be either hand-made or automatically generated with a poll generator. CFE pollers must be automatically generated XML files, and must be dependent on magic page data.
- Poll generator
- A Python script and a state machine YAML file used to generate some CQE and all CFE polls. The poll generating tool selects a flow through the state machine, and uses the Python script to generate inputs and expected outputs for the CB to be tested against. Polls can be generated ahead of time and cached on the fileystem for use and reuse against multiple teams at the same time.
- Proof of Vulnerability, “PoV”, pronounced “pauve” to rhyme with “mauve”
- An exploit. Proofs of Vulnerability are either a CGCEF executable or an XML file that can be compiled into a CGCEF that can trigger a vulnerability in a cset. PoVs have a few broad classifications: CQE PoVs merely needed to trigger a segmentation fault or illegal instruction fault. CFE PoVs can either negotiate and demonstrate register control (a Type 1 PoV) or disclose magic page data (a Type 2 PoV).
- Replacement Challenge Binary, or “RCB”
- A replacement for a CB in a cset submitted by a competitor, similar to how you’d patch a service in attack-defense. In CFE, all RCBs are visible to all teams for consensus evaluation.
- Scoring system, or “referee”
- In consensus evaluation games, the scoring system is a complex beast doing much of the heavy lifting to run the game. It accepts RCBs, PoVs, and IDS rules, and evaluates them. It uses the results of evaluation to calculate score changes.
Some of these terms may not make a lot of sense yet. We've got more posts planned to help it all fit together and provide more context.