Intro to Offensive Security


New York University

Tandon School of Engineering

Running a college course with CTFd

Nick Gregory and Josh Hofing are students in the OSIRIS Lab at NYU Tandon School of Engineering. Knowing how valuable a learning experience Capture the Flag (CTF) security competitions can be, they approached professor Brendan Dolan-Gavitt with a pitch to bring an offensive security class to NYU, organized as a CTF. It would be up to them to develop coursework, deliver lectures, and grade assignments while complying with relevant law and school policy. Dolan-Gavitt approved. They named their class Introduction to Offensive Security, and turned to CTFd to make it happen.

Using this platform, Gregory and Hofing were able to deliver a high-quality learning experience, imparting valuable technical skills that are currently in short supply, industry-wide. CTFd also equipped them to save time, eliminate cheating, facilitate logistics, protect student confidentiality, and protect system security in class.

Challenge

CTF competitions are a valuable learning experience, because they require students to research, try a solution, and modify their answer until they find one that works - the same way an engineer in the field learns. As such, they give students an opportunity to develop a sixth sense about security issues. Established security engineers often continue to play CTF in their free time to maintain a quick wit about tactics and techniques. CTFs also give students a way to practice offensive security without facing legal repercussions. It can be very difficult to identify the presence of a bug in real applications; it can also be illegal. By creating a self-contained environment in which students can safely develop their skills, CTFs empower them to contribute more powerfully to their field.

Gregory and Hofing wanted to facilitate the class through a website where students could learn independently; this would reduce the need for extra lectures. They wanted to assign unique problems to each student, making it harder to cheat. They also wanted to avoid developing and grading each problem individually.

The course syllabus always available online

The tools that educators commonly use to facilitate online coursework, such as WebAssign, were not an option for this class. Tools like these are useful for exercises based on predefined formulas, but security challenges are free-form. Gregory and Hofing needed a platform that would let them create questions of any type.

They were familiar with CTFd through their participation in CSAW, the annual cyber security conference at NYU, where CTFd supports the conference’s renowned Capture the Flag event. They were also aware that CTFd makes deep customizations painless. While many CTF frameworks can be customized by modifying source code, CTFd offers a plugin and theme interface designed to make doing so easy. Also, unlike other CTF platforms, which are written in less popular languages like PHP, CTFd allows developers to make customizations in more common programming languages.

Solution

CTFd already had many of the features that Gregory and Hofing wanted. Building on its native functionality, they enhanced CTFd with custom plugins, which automatically customize challenges to each student’s account. With these plugins, no two students receive the exact same challenge files, and challenge servers are automatically created to run the uniquely-generated files. (Educators who are interested in the modifications they made are welcome to request this customization from CTFd.)

Every week, their class meets for a lecture on a particular security technique; e.g. Cross Site Scripting (XSS), SQL Injection (SQLi), or buffer overflow exploitation. On their own time, the students apply this technique to a CTF challenge that Gregory and Hofing have written or adapted for this purpose. Once a challenge has been defined, the platform can create any number of instances of it, automatically generating and disseminating user-customized problems.

In-class discussion and demo of web vulnerabilities

After a user solves a problem, CTFd grades it automatically, and if the solution is 100% correct, their status on the scoreboard rises — but because it’s illegal to share information about any student’s academic progress, Gregory and Hofing modified the platform to make every score (except one’s own) anonymous.

Results

The class anonymized scores to comply with FERPA but not lose any competetive aspects

Labor saved.

With CTFd, Gregory and Hofing can minimize lecture time while running an effective class. The platform also dramatically reduced the time they would otherwise have had to spend generating challenges, a gain of 15-30 hours per term in that area alone. Finally, since Gregory and Hofing only rarely need to grade student work hands-on, CTFd saves them multiple hours per week in that area as well.

Cheating prevented.

They chose to build in extra safeguards against cheating behaviors. But since most of what they needed is already written into the platform, Gregory and Hofing didn’t have to add much. With just about 250 lines of code, they fine-tuned CTFd to notify them if one student were to submit another user’s solution. Also, because each user challenge is unique, it’s impossible for any student to steal the answer they need from another student.

Logistics smoothed.

Gregory and Hofing integrated CTFd into the NYU authentication and grading system, so each student’s identity is automatically matched to their coursework, making grading painless. Students don’t have to enter their ID number manually (risking human error) or create custom usernames (requiring someone to match them to their ID later). CTFd helped Gregory and Hofing streamline those logistics.

Confidentiality protected.

By anonymizing student scores, Gregory and Hofing were able to protect public student data in compliance with FERPA. Security maintained. Gregory and Hofing structured the CTFd architecture to give each user a self-contained environment in which to work, preventing students from hacking into it on purpose, or destroying it by accident. It is possible for a student to destroy their own environment, but not any other student’s — and any damage they do, whether intentional or unintentional, can be fixed, either automatically (the container resets after three hours of non-use) or manually by Gregory and Hofing.

Quality achieved.

Because CTF is a game, it makes learning fun. Because it’s a scored competition, it incentivizes fast, highly motivated work, in which students compete to be first to finish their homework. Because you can’t progress until you understand the concept, it demands mastery. And because mastery can be achieved either independently or collaboratively, it rewards self-driven research as well as student cooperation.

Summary

With CTFd, Gregory and Hofing spend less time lecturing, developing coursework, and grading, while ensuring the integrity of student work and maintaining academic confidentiality. Thanks to the flexibility of the platform, they’ve been able to tailor it to their needs: merging online and physical curricula for a learning experience that’s more automatic, less laborious, and high-quality.

Big picture, their class supports their university’s organizational objectives by reinforcing its reputation in the cyber security field: NYU Tandon is an NSA Center of Excellence in Information Assurance, Research, and Cyber Operations, with classes taught by internationally known experts.

The platform also equips students with hard skills that are as important as they are rare, drawing new interest to the field from talented undergraduates.