picoCTF: A Game-Based Computer

Security Competition for High School

Students

Peter Chapman Jonathan Burket David Brumley

peter@cmu.edu jburket@cmu.edu dbrumley@cmu.edu

Carnegie Mellon University

This material is based upon work supported by the National

Science Foundation Graduate Research Fellowship under
Grant No. 0946825. 8/18/2014
Plaid Parliament of PlaidCTF
Pwning

2
 Who plays in CTFs?
University
Students

Security
Professionals

Dedicated
Hobbyists

CTFs currently reach a small audience of

very passionate people.
3
 Targeting High Schools
+ Formative - Coding Backgrounds
Educational Period
- Tool Knowledge
+ After-School Clubs
- Security Background
+ Feasible Classroom
Integration

+ Advanced Students

4
 picoCTF 2013
A computer security educational
experience targeting high
school students

Introduce real-world
offensive and defensive
skills to all backgrounds

Build the event around an

interactive game to
motivate students and
teachers

5
 picoCTF Challenges

Digital Forensics (16) Cryptography (8) Reverse Engineering (9)

Web Exploitation (13) Binary Exploitation (11)

6
 picoCTF Challenges
Level 1 Level 2 Level 3 Level 4
No programming Basic AP Computer Very hard
experience programming Science
necessary experience

Each skill level can finish with

accomplishment

7
 Challenge-Game Storyboarding
Stage 1 Enter Debug Mode
FAT Error Code

Stage 2
Robot Sending Robot 101 Decrypt Instructions
Message to Base
File Structure Caesar Cipher
Network Wireshark Rename Toast Secret Competition
Space Port Location
Fix Robot
Bonus Command-Line
Sleep in Bed Interface
Fun Facts and Trivia Reveal Robot History
8
 Robot 101
Learn to Fix Robot

FAT Code Robot Sending

Problem Solved Message to Base
Hints

Enter Debug
Mode

Decrypt
Instructions

9
10
April 26 7:00 AM EDT - May 6 11:59 PM EDT

11
1,938 teams from 955 different schools
12
$21,000 in cash prizes!
13
 Competition Evaluation
172,482 Challenge 415 Post-Competition
Submissions Survey Responses

14
 Game Viewer Usage
1
0.9
0.8
0.7
Usage

0.6
0.5
0.4
0.3
0.2
0.1
0
1 2 3 4 5 6 7

Score
Text-Based Problem Viewer "Toaster Wars" Game Viewer

15
 Game Viewer Usage
7

5
Grade

1
1 1.5 2 2.5 3 3.5 4 4.5 5
Loved It
Hated It
Opinion of Game Viewer

16
Challenge Preferences – Want More Of:
Binary Other
Exploita- 7%
tion
7%
Web
31%
Forensics
11%

Reverse
Engineer-
ing
11%

Script Ex- Cryptog-

ploitation raphy
(non-web) 22%
12%

17
Challenge Preferences – Want Fewer Of:

Other Web
8% 8%
Cryptography
8%
Script Ex-
ploitation
(non-web)
8%

Reverse En-
Binary Ex- gineering
ploitation 9%
45%
Forensics
14%

18
 picoCTF 2013 Takeaways
• The CTF format works!

• People liked the game, especially younger and

less advanced players.

• Unfamiliar and complex tools frustrate.

• Individual accounts are a must for evaluation.

19
Beyond picoCTF 2013

20
21
CTF Platform

22
 Questions!
A computer security educational
experience targeting high
school students

Introduce real-world
offensive and defensive
skills to all backgrounds

Build the event around an

interactive game to
motivate students and
teachers

23