Announcement

Collapse
No announcement yet.

Registration is now open!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Registration is now open!

    Hiding Backdoors in plain sight

    The CoreTex Competitions Team from Core Security is happy to announce the 1st Open Backdoor Hiding & Finding Contest to be held at DEFCON 0x12 this year!

    Hiding a backdoor in open source code that will be subjected to the scrutiny of security auditors by the hundredths may not be an easy task. Positively and unequivocally identifying a cleverly hidden backdoor may be extremely difficult as well. But doing both things at DEFCON 0x12 could be a lot of fun!

    If you liked to read about exploits of C. Auguste Dupin, the devious Minister D. or even The n00b Prefect Monsieur G.[*] here's a chance to role play all of them at DEFCON using your favorite coding and code auditing techniques.

    Registration is now open at Here

    Questions, feedback, comments and general discussion at Defcon Forum

    Quick intro

    Two in one Backdoor Hiding/Finding Contest (participate in either or both): In the first stage, hiding participants provide a source code hiding a backdoor, in the second stage organizers mix the source codes with non-backdoored (placebos), and then ask finding participants to spot the placebos. Hiding participants get hiding points for being voted as a placebo and finding participants get points for spotting the placebos and negative points for false positives.

    Contest Description

    The contest includes two games: a backdoor hiding and a backdoor finding contest which are played simultaneously. The contest will be played in two rounds: a qualification round that starts before the conference and ends during the conference, and a second (smaller and shorter) round during the conference. Each round is a multi-player game, which is played in two stages. The timeline is included below.

    Prizes will be announced shortly. We will give prizes for all those that get to the qualification round and special prizes for the winners of each contest.

    Qualification round

    Stage 1 (hiding): All participants registered for the backdoor hiding game are given a set of requirements for a software program. Before the deadline, they must submit the source code for a program that fulfills these requirements plus includes a backdoor. They must also send a description explaining how to exploit the backdoor.

    Stage 2 (finding): There is new time to register for the backdoor finding game. All players registered are given a bundle with the different pieces of source code. To each bundle the organizers will add a few placebos (source codes that fulfill the requirements but should not include a backdoor). Before a deadline, the players must answer for each source code if they believe it includes a backdoor or not.

    The winners of each game are the ones that accumulate the most points. There is a table for computing points (which can be positive or negative) for the finding contest (X points if it was voted as backdoor and had a backdoor, Y points if it was voted as backdoor and hadn’t a backdoor, etc.).

    For the hiding contest, it’s simpler: each time one player’s source code was voted as non-backdoored, the player is given 1 point. The first participants of the backdoor hiding contest with the most points qualify for the second round.

    Same with the finding contest.

    Final Round

    Stage 1: We provide a source code in C/C++ and describe the requirements it fulfills to all the players. We then describe an additional requirement, and players must write a patch to this source code such that all of the requirements are fulfilled and a backdoor is hidden in the code. They must also provide an explanation on how to use the backdoor.

    Stage 2: Again, the organizers will add a few patches/source codes that fulfill the requirements but do not have backdoors. A jury composed of the winners of the hiding contest (1st stage), a small set of well-known security experts and the players of stage 1 (round 2) have 3 hours to cast their votes for each source code if it hides or does not hide a backdoor. Points are computed according to the same strategy as in the first round.

    The contest is not restricted to any particular programming language. However, it is part of the instructions that the “work” was commissioned by a government that needs this software and will audit it. Hence, most players will stay away from non-mainstream programming languages –since the non-backdoored programs will most probably be developed in C, C++, etc.


    Timeline
    • July 1, we open registration.
    • July 19th, we open the 1st stage of the qualification round. Participants are allowed to register until before the July 29 deadline.
    • Thursday July 29, 0hs, we stop receiving source codes. Registration for 2nd stage of the first round continues.
    • Friday July 30th, 0hs, we open the 2nd stage of the qualification round: users are allowed to download the source code bundles; the site accepts votes (YES/NO)
    • Saturday July 31st, 12hs, Registration and voting are closed. Shortly, we announce first round winners of the backdoor-hiding and backdoor-finding contests.
    • Saturday July 31st, 16hs, we start the second (and final) round which will last less than two hours. Players have some time to write a patch for a given source code and include a backdoor.
    • Saturday July 31st, 17:30hs, The eminence jury members (3-5 members, TBD), winners of the backdoor-hiding qualification round and the winners of the backdoor-finding qualification round are allowed to vote for the final round winner. They have 30 minutes.
    • Sunday 1, 14hs. Winners are announced and prizes delivered in the DefCon Awards Ceremony.



    Register now, have fun and see you at DEFCON-0x12 !
    [*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from the 1845 tale "The Purloined Letter" by Edgar Allan Poe

  • #2
    Re: Registration is now open!

    Looks cool as hell, guys. I'll be watching closely -- and look forward to the outcome and all the source code after it's all said and done! Is there an actual location at DEFCON where any of this will be happening or is it all done online? It'd be cool to see some of the later rounds (especially the quick ones) in person.

    Comment


    • #3
      Re: Registration is now open!

      Originally posted by Club81 View Post
      Looks cool as hell, guys. I'll be watching closely -- and look forward to the outcome and all the source code after it's all said and done! Is there an actual location at DEFCON where any of this will be happening or is it all done online? It'd be cool to see some of the later rounds (especially the quick ones) in person.
      Kind DefCon has reserved some tables for us.

      The contest is organized in two rounds: qualification & final. Each divided in two stages, hiding & finding. The finding stage of the qualification round and all of the final round will happen on site. Anyone can register during the qualification round and sit with us to audit code for backdoors until Saturday noon. We'll be waiting for you.

      The second will last two hours starting Saturday 31st at 4pm. The participants in the first 10 positions of the hiding contest qualification round participate in the final round of the hiding contest and the first 10 positions in the finding qualification round participate, together with a a small set (<5) of well-known security experts (Tavis Ormandy and Dino Dai Zovi already signed in), in the final round of the finding contest.

      Cheers!
      Ariel

      Comment

      Working...
      X