Nick Gregory and Josh Hofing are students in the OSIRIS Lab at NYU Tandon School of Engineering. Knowing how valuable a learning experience Capture the Flag (CTF) security competitions can be, they approached professor Brendan Dolan-Gavitt with a pitch to bring an offensive security class to NYU, organized as a CTF. It would be up to them to develop coursework, deliver lectures, and grade assignments while complying with relevant law and school policy. Dolan-Gavitt approved. They named their class Introduction to Offensive Security, and turned to CTFd to make it happen.
Using this platform, Gregory and Hofing were able to deliver a high-quality learning experience, imparting valuable technical skills that are currently in short supply, industry-wide. CTFd also equipped them to save time, eliminate cheating, facilitate logistics, protect student confidentiality, and protect system security in class.
CTF competitions are a valuable learning experience, because they require students to research, try a solution, and modify their answer until they find one that works - the same way an engineer in the field learns. As such, they give students an opportunity to develop a sixth sense about security issues. Established security engineers often continue to play CTF in their free time to maintain a quick wit about tactics and techniques. CTFs also give students a way to practice offensive security without facing legal repercussions. It can be very difficult to identify the presence of a bug in real applications; it can also be illegal. By creating a self-contained environment in which students can safely develop their skills, CTFs empower them to contribute more powerfully to their field.
Gregory and Hofing wanted to facilitate the class through a website where students could learn independently; this would reduce the need for extra lectures. They wanted to assign unique problems to each student, making it harder to cheat. They also wanted to avoid developing and grading each problem individually.
The tools that educators commonly use to facilitate online coursework, such as WebAssign, were not an option for this class. Tools like these are useful for exercises based on predefined formulas, but security challenges are free-form. Gregory and Hofing needed a platform that would let them create questions of any type.
They were familiar with CTFd through their participation in CSAW, the annual cyber security conference at NYU, where CTFd supports the conference’s renowned Capture the Flag event. They were also aware that CTFd makes deep customizations painless. While many CTF frameworks can be customized by modifying source code, CTFd offers a plugin and theme interface designed to make doing so easy. Also, unlike other CTF platforms, which are written in less popular languages like PHP, CTFd allows developers to make customizations in more common programming languages.
CTFd already had many of the features that Gregory and Hofing wanted. Building on its native functionality, they enhanced CTFd with custom plugins, which automatically customize challenges to each student’s account. With these plugins, no two students receive the exact same challenge files, and challenge servers are automatically created to run the uniquely-generated files. (Educators who are interested in the modifications they made are welcome to request this customization from CTFd.)
Every week, their class meets for a lecture on a particular security technique; e.g. Cross Site Scripting (XSS), SQL Injection (SQLi), or buffer overflow exploitation. On their own time, the students apply this technique to a CTF challenge that Gregory and Hofing have written or adapted for this purpose. Once a challenge has been defined, the platform can create any number of instances of it, automatically generating and disseminating user-customized problems.
After a user solves a problem, CTFd grades it automatically, and if the solution is 100% correct, their status on the scoreboard rises — but because it’s illegal to share information about any student’s academic progress, Gregory and Hofing modified the platform to make every score (except one’s own) anonymous.
With CTFd, Gregory and Hofing spend less time lecturing, developing coursework, and grading, while ensuring the integrity of student work and maintaining academic confidentiality. Thanks to the flexibility of the platform, they’ve been able to tailor it to their needs: merging online and physical curricula for a learning experience that’s more automatic, less laborious, and high-quality.
Big picture, their class supports their university’s organizational objectives by reinforcing its reputation in the cyber security field: NYU Tandon is an NSA Center of Excellence in Information Assurance, Research, and Cyber Operations, with classes taught by internationally known experts.
The platform also equips students with hard skills that are as important as they are rare, drawing new interest to the field from talented undergraduates.