Hack@Sec2020
Hard-CTF

The recent outbreak of microarchitectural attacks that are being continuously uncovered has shown us the hard way that our trust assumptions in the underlying hardware of our computing systems and security architectures are unjustified. Besides microarchitectural design flaws, System-on-Chip (SoC) designers often use third-party intellectual property (3PIP) cores and in-house IP cores to design their SoCs. Trustworthiness of such SoCs can be undermined by security bugs unintentionally introduced during the implementation and integration of these IPs. Each SoC has its own defined usage scenario and corresponding security objectives. When exploited, a security weakness often results in compromise or bypass of at least one of the product security objectives. As we have already witnessed, attacks may lead to a system failure or deadlock, or generate a side channel to remotely access sensitive information (e.g., cryptographic keys), or gain privileged access to the system enabling them to bypass the security mechanisms in place and compromise the whole computing platform.

The goal of this competition is to develop practical and effective solutions and computer-aided tools to identify such vulnerabilities more efficiently in buggy SoCs.

What is Hack@Sec?

Participating teams in this competition try to mimic the practices of a security assurance team that is responsible for the security assurance of the hardware and firmware of the system under test. Their objective is to identify the security vulnerabilities (both microarchitectural/side-channel flaws as well as security bugs), assess their security impact, propose a mitigation, and report them. They are free to use any tools and techniques of their choosing. Participating teams will be affiliated with one of two categories: either student-only or mixed. Student-only teams comprise only of students affiliated with academic and research institutions, while mixed teams can comprise of members affiliated with industry only or both industry and academia.

The competition has two phases:

Phase I: This is a warm-up phase where participating teams are given a “buggy” SoC design which they need to analyze to identify as many security vulnerabilities as possible. We will provide specification details and the desired security properties and threat model. Freedom to choose tools and techniques is intended to minimize the barrier of entry for teams. Finalists will be selected from both team categories to participate in Phase II.

Phase II: This is a live capture-the-flag competition co-located with USENIX Security 2020 where all registered participants from Phase I as well as any other teams that choose to register anytime until Phase II can participate in. The same SoC design but with a new set of bugs are provided to the competing teams and they will need to apply their techniques (and any tools developed) to detect as many vulnerabilities, but in a limited time-frame (~48 hours). Bug submissions from the teams will be evaluated live and winners from both categories will be selected.

Participating in Phase I is not mandatory to participate in Phase II, but recommended. This gives teams a warm-up opportunity to figure their way around the SoC before the time-limited Phase II. Nevertheless, all teams are very welcome to register for Phase II any time up until the date of the competition (August 10, 2020)!

Who can participate?

Each team must meet all of the below eligibility requirements:

  1. A team member can be a student or a working professional.
  2. Provide ‘single’ e-mail address for your team.
  3. A team can consist of up-to 4 members (excluding the adviser).
  4. A team member cannot be associated with multiple teams.
  5. Individuals associated with Texas A&M University and TU Darmstadt are not allowed to participate in the competition to avoid conflict of interest.
  6. Individuals affiliated with multiple organizations can participate in one single team.
  7. No entry fee is required to participate in the competition.
  8. The organizers reserve the right to disqualify entries at their discretion.

Deadlines

  • Jan 5, 2020: Registration begins.
  • March 15, 2020: Phase I starts.
  • May 31, 2020 July 14, 2020: Phase I ends and final submissions are due.
  • August 10, 2020: Phase II registration ends.
  • August 10-11, 2020: Phase II immediately before USENIX Security.
  • August 12, 2020: Winners are announced during USENIX Security.
organizers

Organizers

Students

Phase I

Phase I Top Scorers

Congratulations to our top scoring teams from Phase I. You are now all set for Phase II live at USENIX Security 2020!

# Team Name Affiliation Score
1 VUSec Vrije Universiteit Amsterdam 331
2 SICADA_s Kookmin University 74
Teams
NameAffiliationType*
0xdeadbeefUniversity of Illinois Urbana-ChampaignIndustry
cDsNAIndustry
hordsecFederal University of Technology - Parana, Brazil; LACTEC; Red HatIndustry
LesSemisCroustillantsCEA ; University of Montpellier; University of Grenoble; University of LyonStudent
NYU-CCSNew York UniversityIndustry
ROPilicious National Institute of Technology Karnataka(NITK)Student
Rose-HulmanRose-Hulman Institute of TechnologyStudent
RSoC (Rachel and the Sons of ChaOS)Self/Industry ProfessionalsIndustry
S4LabNAIndustry
SICADA_sKookmin UniversityIndustry
Sice SquadUniversity of Maryland, College Park; Carnegie Mellon University; University of Pittsburgh; University of California, BerkeleyStudent
SnxTIIIndustry
Spark 343University of Texas at DallasStudent
Ti_SecTexas InstrumentsIndustry
VOLsecUniversity of TennesseeIndustry
VUSecVrije Universiteit AmsterdamStudent
whatwhatHUJIStudent

*Teams that mix industry professionals and students are shown as “Industry”.

Register

To register for Phase I or Phase II, please fill in the form below or use this link. You will receive a confirmation email afterwards.

Contact

You can contact the organizers via email at hackasec@gmail.com.

The competition has a Slack channel as well. Please check the invite page to join the channel.

Venue & Travel

The Hack@Sec2020 will be held virtually on 10-11 August 2020 and is co-located with the 29th USENIX Security Symposium. On 12 August, a “Hack@SEC Winner Report Out and Award Ceremony” session will be held to announce the winners! Stay tuned for more details on our logistics and timelines.