ICC in San Diego, CA

back · home · blog · posted 2023-08-06 (updated 2024-06-25) · vibes @ the international cybersecurity competition
Table of Contents

The INTERNATIONAL CYBER SECURITY CHAMPIONSHIP... or challenge, or competition, or something. The best players from around the world (who were available... and applied... and able to travel... and wanted to... and from a participating country... and between the ages of 18 and 25...) duke it out on a global stage with some epic esports lighting, decorating, and commentating, with a day of difficult jeopardy-style CTF challenges and another day of thrilling A/D. We, team USA, got 4th (💀) of 7th teams.

Large poster with ICC 2023 logo and text saying 'WELCOME' and 'GET IN THE GAME.'

The ICC and ECSC and USCG

The ICC, uhh... (squints at very sparse Wikipedia article) began in 2022, in Athens, Greece. It's an international expansion of ENISA's ECSC (European Cyber Security Challenge).

What a crazy globetrotting event! Well, heck yeah I'll sign up. I can't wait to see the world while doing fun cyber events! Naturally, the year, it took place in San Diego, California. Which is where I've lived for the majority of my life.

Katzcy and USCG

There's a bit of organizational background that's important to understand the event. It's kind of boring but it matters: I participated through the "US Cyber Games" program (henceforth USCG). "Season 1" was 2022, and this (2023, "Season 2") was the first year I took part. So basically, to participate in this event, you had to go through the USCG program first. They were also the host and orgranizers for the 2023 ICC, since it was in the USA.

USCG is currently run by Katzcy, which is a digital marketing firm focused on cybersecurity publicity...

And I personally despise marketing. Especially digital marketing. Which is the reason I didn't try out in Season 1... But I'll be damned if they aren't good at planning events! The ICC logistically was quite well-run. So, I mean, yeah, I'll sell out and deal with some (a lot of) marketing grift, if it means free travel to cool events.

I'm also participating this upcoming year in the USCG (2023-2024, "Season 3"). There are a couple issues with the program experience, the most pertinent two being:

  1. the application process does not attract or entice a lot of the best players, and
  2. the overall team size is 30, but the ICC competition team size is 15. So half the team will not be competing in the primary event-- but you don't know who until a month or two before the event! This causes a lot of continual stress from the rat-race for those who choose to go hard for a slot, and detachment from (some very skilled) competitors who don't.

We've complained a bunch and hopefully Katzcy & co will work on those; there are a lot of times I wanted to say "X was important, so I'll work on that for next year", but even though I am "on the team", I don't know if I'll be competing.

Gamerifications

The organizers' "eSports" focus shines through in the event. It was very Gamer Athlete AllStar Game Day. You have team t-shirts, we have JERSEYS. You have team tryouts, we have DRAFT DAY. You have competitors, we have ATHLETES. You have livestreams, we have GAME COMMENTATORS. We are NOT the same. As I write to you from my ivory Amazon Basics high-chair, I have the US Cyber Games™ Game Hoodie™®© adorning my pasty gamer™-lifestyle-ridden body-- a complex miasma of Red™ White™ and Blue™ fighting for your attention, drowning in a Moiré pattern of unbridled Patriotism. But it was free! Just like me, in the God Blessed US of A.

The "gamerification" of infosec or cyber security is near universally disdained by actual competitors, as far as I can tell. Indiscriminantly turning computer security competitions into spectator events shows a lack of appreciation for the details and sometimes intangible, hard-to-compress processes they contain within.

That said, I do think there is a lot of room for making cyber events fun to watch. Perhaps more under the umbrella of infosec communication and education. As a non-sports fan, I think sports are fun to watch if you can tell what the hell is going on and if you are invested in either the sport itself or the players.

In complex "sports", like cyber, uh, gaming, it becomes very difficult to tell what the hell is going on. In order to convey useful information, the viewers have to understand the mechanics of the "sport"-- yet most all "cyber esports gamerification" attempts fail miserably at this.

The most common sin is to cop out and only show relative performance, winning vs losing, if that. The ICC's primary "watchable" mechanism was a set of wacky floating wizards that either would, or would not, shoot magic ballz at the other teams (signifying if the team had any flags submitted for an enemy, wizard). While that conveys relative performance, and it was a fun animation to watch while zoning out, it doesn't provide anything a scoreboard couldn't. What if for spectator chess, instead of seeing the board, you just had material values (eg., one knight lost versus two pawns), or stockfish's "probability of winning" metric?

Pwny Racing and HTB Battlegrounds are enjoyable but make no effort to appeal to a general audience.

DARPA's CGC is the best example of a spectator cyber security event I've seen thus far. While it had some abstract nonsense with the floating hexagons, it stayed true to the mechanics of what was actually happening, especially with the CFG tracing/coverage graphs. And even if you have no idea what the wiggly lines mean, you can compare them with the other wiggly lines and associate that with achieving a different outcome, further in its execution. So I guess the thesis is, "good spectator cyber security events educate"... or something.

The Event

A positive of the gamer disease, we had cool streams:

The streams were pretty entertaining and well-composed. There wasn't really any attempt to make it technical, but rather just stuck to interviewing people. Which worked out. Although now theres a significant amount of footage of every participant along with their name and country of residence... I guess you can't hide from the deepfake machine forever.

The streams were nice to send to pepole who wanted to know what you were up to. The announcer also sounds like Robert Downey Jr., according to my aunt, you be the judge.

The "arena", as they say, looked like this:

Low resolution photo of the competition 'arena', showing team Canada and the announcers. The room is large and dim, lit primarily by moving spotlights.

Day 1: Jeopardy CTF

The CTF was run by MetaCTF, who I'm quite familiar with as a platform provider. They usually have more "clever" challenges rather than extremely complex, with each challenge usually built on some kind of theme or story. They don't try to trick you, and they value niche situations and technologies over than niche concepts deep within a given field.

Scoring worked like this:

I was able to get one first blood on one RE challenge, which I way overcomplicated. It was [two paragraphs redacted] and it printed the flag. ¯\_(ツ)_/¯ (Sorry, they seemed very serious about not posting writeups, and I don't want Roman MetaCTF to hate my guts...).

Some of the challenges were legitimiately difficult. They had a couple pwn ones and some hardware ESP32/xtensa RE ones that had very few solves.

Lastly, we (allegedly) had a certain... strategy, that did not pay off. Ok fine, the strategy was, allegedly, flag hoarding. For the record, I was allegedly not on board with the theoretical idea. It went horribly and made everyone mad. And we still lost. Allegedly.

Day 2: Attack/Defense (...ArcaneLink)

Day two was the A/D (Attack Defense) CTF day, which I have a lot less experience with. We spent our time on ArcaneLink. All of our time.

It was a wicked custom kernel module (Linux), with custom QEMU "hardware" support, and a custom userspace utility to interact with it. The main bug was inside QEMU, as you could compare a byte at a time with a secret (by virtue of memcmp), which revealed the difference from your input byte. So you could leak the 8-byte secret in 8 requests. There was also a race condition that nobody found. The official writeup has all the details: https://github.com/CybersecNatLab/ICC2023-AD-CTF/tree/main/exploits/ArcaneLink.

We were able to replay team Asia's exploit after an embarrassingly long time, but we didn't understand it until we took a 10 minute break after the competition ended, looked at Ghidra again, and figured out that there ARE TWO MEMCMPs! And we were looking at the one from the strings.h! They were using the built-in memcmp! AGHHHHHH!

When we ran a local test to see if the memcmp was leaking information, we did it like this:

#include <stdio.h>
#include <strings.h>
int main() {
    printf("f - a %d\n", memcmp("f", "a", 1));
}
f - a 1

Ok, we can't get anything from that, it only returns -1, 0, or 1. But the built-in!!!

#include <stdio.h>
int main() {
    printf("f - a %d\n", memcmp("f", "a", 1));
}
f - a 5

Why? I hate you! So much!

Fun/Socializing

As usual, talking to other teams, going to the dinners, and doing ancillary fun stuff was one of the best parts of the event.

I got a picture with (IMO) one of the best pwners out there, whose posts I've been reading online for a long time :) He was the team Asia coach, but is still eligible to be a participant, what a legend.

Photo of two people in front of a green hedge and a coastal golf course.

It wouldn't be San Diego without irresponsible consumption of bubble tea. Namely:

I suggested Wushiland to the people I talked to on Team Asia, but I don't know if they ever went. I did see them doordashing McDonalds though, so I hope they're okay.

Walking around, seeing the hills, and going to the beach was a lot of fun too.

Grassy brown hills next to a La Jolla beach

I got a crazy sunburn, turns out my cruddy sunscreen washes right off in the water. Sorry to anyone who borrowed some... I also got really sick after coming back, so my daily routine for about a week consisted of scraping skin off my back, taking Zicam, profusely shivering, and sobbing.

Sand and water at a La Jolla beach

Conclusion

Why did you get stomped?

The competition was overall, very well run. The challenges were difficult especially for A/D where again, there was only one or two vulns for massive service. So my general answer is:

At least for me personally, CTFs have never been a competitive event in the same way that CyberPatriot or CCDC were. They usually were fun, one-offs with minimal commitment. But the ICC and related have made CTFs into a rewarding social environment that I really enjoy, so I hope to uh, get good.

Main takeaways

If you have any questions or feedback, please email my public inbox at ~sourque/public-inbox@lists.sr.ht.