[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Hiding Backdoors in plain sight



The CoreTex Team from Core Security is happy to announce the *1st Open
Backdoor Hiding & Finding Contest* to be held at DEFCON 0x12 this year!

Hiding a backdoor in open source code that will be subjected to the
scrutiny of security auditors by the hundredths may not be an easy task.
Positively and unequivocally identifying a cleverly hidden backdoor may
be extremely difficult as well.

But doing both things at DEFCON 0x12 could be a lot of fun!


If you liked to read about the exploits of C. Auguste Dupin, the devious
Minister D. or even the n00b Prefect Monsieur G. [*] here's a chance to
role-play all of them at DEFCON using your favorite coding and code
auditing techniques.

Registration is now open at http://www.backdoorhiding.com

Questions, feedback, comments and general discussion at
https://forum.defcon.org/forumdisplay.php?f=520

Here are the details:

Quick intro

Two in one Backdoor Hiding/Finding Contest (participate in either or
both): In the first stage, hiding participants provide a source code
hiding a backdoor, in the second stage organizers mix the source codes
with non-backdoored (placebos), and then ask finding participants to
spot the placebos. Hiding participants get hiding points for being voted
as a placebo and finding participants get points for spotting the
placebos and negative points for false positives.

Contest Description

The contest includes two games: a backdoor hiding and a backdoor finding
contest which are played simultaneously. The contest will be played in
two rounds: a qualification round that starts before the conference and
ends during the conference, and a second (smaller and shorter) round
during the conference. Each round is a multi-player game, which is
played in two stages. The timeline is included below.

Prizes will be announced shortly. We will give prizes for all those that
get to the qualification round and special prizes for the winners of
each contest.

Qualification round

Stage 1 (hiding): All participants registered for the backdoor hiding
game are given a set of requirements for a software program. Before the
deadline, they must submit the source code for a program that fulfills
these requirements plus includes a backdoor. They must also send a
description explaining how to exploit the backdoor.

Stage 2 (finding): There is new time to register for the backdoor
finding game. All players registered are given a bundle with the
different pieces of source code. To each bundle the organizers will add
a few placebos (source codes that fulfill the requirements but should
not include a backdoor). Before a deadline, the players must answer for
each source code if they believe it includes a backdoor or not.

The winners of each game are the ones that accumulate the most points.
There is a table for computing points (which can be positive or
negative) for the finding contest (X points if it was voted as backdoor
and had a backdoor, Y points if it was voted as backdoor and hadn’t a
backdoor, etc.).

For the hiding contest, it’s simpler: each time one player’s source code
was voted as non-backdoored, the player is given 1 point. The first
participants of the backdoor hiding contest with the most points qualify
for the second round.

Same with the finding contest.

Final Round

Stage 1: We provide a source code in C/C++ and describe the requirements
it fulfills to all the players. We then describe an additional
requirement, and players must write a patch to this source code such
that all of the requirements are fulfilled and a backdoor is hidden in
the code. They must also provide an explanation on how to use the backdoor.

Stage 2: Again, the organizers will add a few patches/source codes that
fulfill the requirements but do not have backdoors. A jury composed of
the winners of the hiding contest (1st stage), a small set of well-known
security experts and the players of stage 1 (round 2) have 3 hours to
cast their votes for each source code if it hides or does not hide a
backdoor. Points are computed according to the same strategy as in the
first round.

The contest is not restricted to any particular programming language.
However, it is part of the instructions that the “work” was commissioned
by a government that needs this software and will audit it. Hence, most
players will stay away from non-mainstream programming languages –since
the non-backdoored programs will most probably be developed in C, C++, etc.

Timeline

-July 1, we open registration.
-July 19th, we open the 1st stage of the qualification round.
Participants are allowed to register until before the July 29 deadline.

-Thursday July 29, 0hs, we stop receiving source codes. Registration for
2nd stage of the first round continues.

-Friday July 30th, 0hs, we open the 2nd stage of the qualification
round: users are allowed to download the source code bundles; the site
accepts votes (YES/NO)

-Saturday July 31st, 12hs, Registration and voting are closed. Shortly,
we announce first round winners of the backdoor-hiding and
backdoor-finding contests.

-Saturday July 31st, 16hs, we start the second (and final) round which
will last less than two hours. Players have some time to write a patch
for a given source code and include a backdoor.

-Saturday July 31st, 17:30hs, The eminence jury members (3-5 members,
TBD), winners of the backdoor-hiding qualification round and the winners
of the backdoor-finding qualification round are allowed to vote for the
final round winner. They have 30 minutes.

-Sunday 1, 14hs. Winners are announced and prizes delivered in the
DefCon Awards Ceremony.


Register now, have fun and see you at DEFCON-0x12 !


[*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from
the 1845 tale "The Purloined Letter" by Edgar Allan Poe

--
ariel, andres, Damian Saura, futo, ivan  & pedro

The CoreTex team at Core Security Technologies


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/