In this project, you will create a hacking workshop, and more precisely a gamified environment for your fellow students who study software and network security.

Unlike classical security labs, this environment is a contest for multiple students to reach the best score. Two different approaches are generally followed in security contests:

  • CTF (Capture The Flag) style: the environment might first provide the necessary mechanisms for creating challenges or puzzles that can be solved based on bypassing security and cryptographic mechanisms. The students or teams of students can be ranked based on their success rate, the speed at which they succeed, and possibly other criteria you may imagine.
  • Red/Blue Teams: the environment might provide the infrastructure required for a Blue Team / Red Team fight, in which the Blue Team members have to defend their infrastructure and resources from attacks performed in realtime by the Red Team members.

You will develop a CTF style environment, with a twist: every user in the system should be able to create its own challenges and gain points out of it.

  • study and collect existing puzzles from other CTFs or create your own challenges based on courses/articles/web pages describing one or several vulnerabilities. These will be used as a test for the environment you are building. Co-encadré par Karima Boudaoud
  • This vulnerability will have to be reproduced in a safe environment that cannot be used to perform external attacks. It should be easy to deploy on a student’s workstation, for instance using a combination of containers and/or virtual machines. This environment should contain a way to monitor complete or partial success or failure (possibly after some timeout), in realtime if possible or post-mortem.
  • create a database of such attacks. Any student or team should be able to create a new challenge (that he won’t be able to run himself). You will have to think of a mechanism for encouraging the author of a challenge (for instance with additional points counting in the ranking). The challenge might have to be tested and validated by a professor or by other students or teams, in exchange of another reward.
  • create the software architecture to deploy the challenges and collect the results.
  • You will also need to implement a dashboard for displaying the contest results in realtime and to design and deploy the infrastructure for sending notifications about new challenges, closed challenges and results, etc.
  • The author of a challenge should be able to enter a solution that can possibly be replayed by a student or a team that has finished the challenge successfully or not. Other users should also be able to submit their own solution and to comment. You also have to think of a system for rewarding these users for their contributions based on fellow opinions (for instance using a Facebook Like approach)

You are encouraged to reuse as much code, tools, and ideas from similar contests as possible in order to provide the best gamified experience to your fellow students.

One problem with the gamification will be the need to balance the different rewards of the participants in order to make sure that the rewards gained from solving puzzles are balanced with the rewards gained from managing the challenges (creation, validation). You may possibly consider two distinct scores.

This project is co-supervised with Karima Boudaoud.

Compétences Requises

You are expected to have knowledge and interest in both software security (mandatory) and software engineering (if possible). Knowledge in man-machine interface would be a plus. Groups with diverse backgrounds are encouraged.

Besoins Clients

  • creation of an organized collection of security challenges
  • design & development of an infrastructure for deploying / controlling challenges
  • design of solid gamification and cooperation mechanisms

Résultats Attendus

  • survey on CTFs and catalog of security challenges
  • proof-of-concept implementation of a CTF infrastrure
  • report on the gamification and cooperation mechanisms and their validation

Références

Informations Administratives

  • Contact : Yves ROUDIER Yves.Roudier@i3s.unice.fr
  • Identifiant sujet : Y1819-S030
  • Effectif : entre 2 et 3 étudiant(e)s
  • Parcours Recommandés : AL,CASPAR,IHM
  • Équipe: SPARKS