Hi all,

The CoreTex Competitions team from Core Security is organizing a new contest to DefCon. There follows a first description draft. If you want to share any thoughts or have any questions, please respond to this post or send me an email.

The Contest's wesbite is http://www.backdoorhiding.com

Ariel
CoreTex team
wata@backdoorhiding.com

Backdoor-Hiding Contest (draft 0.1)

Quick intro

Two in one Backdoor Hiding/Finding Contest (participate in either or both): In the first stage, hiding participants provide a source code hiding a backdoor, in the second stage organizers mix the source codes with non-backdoored (placebos), and then ask finding participants to spot the placebos. Hiding participants get hiding points for being voted as a placebo and finding participants get points for spotting the placebos and negative points for false positives.

Contest Description

The contest includes two games: a backdoor hiding and a backdoor finding contest which are played simultaneously. The contest will be played in two rounds: a qualification round that starts before the conference and ends during the conference, and a second (smaller and shorter) round during the conference. Each round is a multi-player game, which is played in two stages. The timeline is included below.

Prizes will be announced shortly. We will give prizes for all those that get to the qualification round and special prizes for the winners of each contest.

Qualification round

Stage 1 (hiding): All participants registered for the backdoor hiding game are given a set of requirements for a software program. Before the deadline, they must submit the source code for a program that fulfills these requirements plus includes a backdoor. They must also send a description explaining how to exploit the backdoor.

Stage 2 (finding): There is new time to register for the backdoor finding game. All players registered are given a bundle with the different pieces of source code. To each bundle the organizers will add a few placebos (source codes that fulfill the requirements but should not include a backdoor). Before a deadline, the players must answer for each source code if they believe it includes a backdoor or not.

The winners of each game are the ones that accumulate the most points. There is a table for computing points (which can be positive or negative) for the finding contest (X points if it was voted as backdoor and had a backdoor, Y points if it was voted as backdoor and hadn’t a backdoor, etc.).

For the hiding contest, it’s simpler: each time one player’s source code was voted as non-backdoored, the player is given 1 point. The first participants of the backdoor hiding contest with the most points qualify for the second round.

Same with the finding contest.

Final Round

Stage 1: We provide a source code in C/C++ and describe the requirements it fulfills to all the players. We then describe an additional requirement, and players must write a patch to this source code such that all of the requirements are fulfilled and a backdoor is hidden in the code. They must also provide an explanation on how to use the backdoor.

Stage 2: Again, the organizers will add a few patches/source codes that fulfill the requirements but do not have backdoors. A jury composed of the winners of the hiding contest (1st stage), a small set of well-known security experts and the players of stage 1 (round 2) have 3 hours to cast their votes for each source code if it hides or does not hide a backdoor. Points are computed according to the same strategy as in the first round.

The contest is not restricted to any particular programming language. However, it is part of the instructions that the “work” was commissioned by a government that needs this software and will audit it. Hence, most players will stay away from non-mainstream programming languages –since the non-backdoored programs will most probably be developed in C, C++, etc.

Timeline
-July 1, we open registration.
-July 19th, we open the 1st stage of the qualification round. Participants are allowed to register until before the July 29 deadline.
-Thursday July 29, 0hs, we stop receiving source codes. Registration for 2nd stage of the first round continues.
-Friday July 30th, 0hs, we open the 2nd stage of the qualification round: users are allowed to download the source code bundles; the site accepts votes (YES/NO)
-Saturday July 31st, 12hs, Registration and voting are closed. Shortly, we announce first round winners of the backdoor-hiding and backdoor-finding contests.
-Saturday July 31st, 16hs, we start the second (and final) round which will last less than two hours. Players have some time to write a patch for a given source code and include a backdoor.
-Saturday July 31st, 17:30hs, The eminence jury members (3-5 members, TBD), winners of the backdoor-hiding qualification round and the winners of the backdoor-finding qualification round are allowed to vote for the final round winner. They have 30 minutes.
-Sunday 1, 14hs. Winners are announced and prizes delivered in the DefCon Awards Ceremony.

More info to be posted shortly.