No announcement yet.

Pondering CTF

  • Filter
  • Time
  • Show
Clear All
new posts

  • Pondering CTF

    For the past few years I've considered giving a talk as to how functional programming techniques can massively improve security. But I figure, before that, I should probably put my own skills to the test...

    As far as I understand CTF, it seems to be divided into the offensive and defensive skill sets, with qualification centering around the offensive set. As I work primarily in high level languages, I doubt I could qualify unless I really made a concentrated effort to improve my own abilities at discovering the weaknesses of others. But when it really comes down to it, I'm a creator trying to understand and outwit the destroyers.

    My programming background is deeply rooted in Unix network programming, and has been for the past 12 years or so. This does include nearly a decade of C, but now I'm practically allergic. Now I work in functionalesque and functional languages.

    If I were confronted with maintaining some poorly implemented, bug ridden, insecure service, which seems to be the basic premise of CTF, I would first create a specification for the service, then attempt a reimplementation from scratch. Modern high level languages can strip away the boilerplate of such applications, leaving only the core functionality to be considered. If I'm dealing with a service which is effectively simple RPC wrapping a not-too-particularly complex function, using modern functional languages I think I could have a secure and fault tolerant reimplementation done in an hour or less.

    For those experienced with CTF: how complex are the services you have to run? It seems to me that between a team who reinstall the and secure the underlying OS from scratch and someone who is able to quickly reimplement all the services being provided that the defensive side of CTF is effectively covered.

    I'm genuinely curious how well people could attack a service created with Behavior Driven Development (i.e. a proper specification of inputs/outputs) verified using a declarative fuzz testing tool (QuickCheck) and implemented in a language which provides guaranteed transactional semantics at the language level as well as massively scalable lightweight concurrency to absorb potential DoS attacks.

    At the application level, the defensive aspect of CTF doesn't seem hard to me at all, and I'm wondering if that's simply because I'm naive, or if modern functional languages actually offer some secret sauce for secure programming. I've considered giving a talk to that effect, but first I'd like to put my code where my mouth is, so to speak...

    All that said, I don't know if I could handle participating in CTF. I mainly go to Defcon to get faded and hang out with people I otherwise know through IRC. I'd hope that if I were ever to have a role on a team whose sole duty was to create reliable, fault tolerant, and highly scalable versions of the services that a CTF server runs, I could simply implement them, verify correctness through testing, and leave them be then go about my business.

    Do you think that could ever happen?
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]