Three-peat for CMU hacking team at MITRE cybersecurity tournament
Giordana Verrengia
Jun 3, 2024
The winning streak continues for Carnegie Mellon University's competitive hacking team, Plaid Parliament of Pwning (PPP), who claimed first prize at the MITRE Embedded Capture the Flag (eCTF) competition for the third consecutive year.
This year’s team from PPP includes 13 students — undergraduates and graduates — enrolled in the departments of Computer Science and Electrical and Computer Engineering (ECE), as well as the Information Networking Institute (INI) master’s program. Students took a keen interest in this year’s competition, and some PPP members have participated multiple times in eCTF, allowing them to take on informal leadership and mentoring roles on the team.
Anthony Rowe of ECE, Patrick Tague of INI, and Maverick Woo of CyLab served as faculty advisors for the team.
The competition lasts the entire Spring semester and is broken into two phases: design and attack. Teams are evaluated for how well they cater to both functionality and security in their products.
Unlike many other capture the flag tournaments, MITRE eCTF focuses on embedded system security — which deals with protecting data and safety in field-deployed devices such as mobile phones and avionics equipment. This year’s theme was about securing a supply-chain solution for medical device manufacturers. During Phase 1, which began in January, PPP held weekly meetings to develop their product in accordance with the seven security requirements stipulated by the MITRE organizers.
“I learned a lot about how an embedded system can go wrong,” said Carson Swoveland, a recent ECE graduate. “I don’t think any traditional courses focus on designing an embedded system with quite as much intensity and practicality as MITRE’s competition.”
According to Swoveland, one of the keys to PPP’s success was that everyone knew exactly what they were responsible for.
“What we’ve observed is that if we don’t keep track of outstanding tasks, if we don’t have someone sketching out a timeline of what we need to get done and when, things don’t get done,” said Swoveland, who will pursue a fifth-year master’s degree at CMU.
Phase 2, the attack phase, involves trying to find vulnerabilities in the embedded systems made by other teams. Swoveland says this stage also required considerable strategic collaboration. One group of teammates focused on exploiting a defect that several competing systems had in common, while the other group developed workarounds for separate issues. In this year’s competition, PPP’s system was one of a select few to not have any vulnerabilities successfully hacked by competing teams.
MITRE eCTF also mimics a commercial environment with its evaluation setup, splitting points between functionality, timeliness, and security. As Woo explains, rushing to turn in a product doesn’t guarantee a tournament victory — teams must resist the temptation to cave in to market pressure. In a commercial environment, the most effective and secure product will distinguish itself from the competition.
To help students perform at their best, CMU allows students to earn 12 course credits for participating in the eCTF. Students also have no financial obligations to participate in the tournament thanks to generous support from sponsors, who provide funding to purchase the hardware equipment necessary for the competition. This year’s team received funding support from Amazon Web Services, AT&T, Cisco, Infineon, Nokia Bell Labs, Rolls-Royce, and Siemens through the CyLab partnership program.
PPP’s success seems poised to continue. Woo believes that MITRE places a high premium on thoroughness, and he says that CMU students are well prepared because their courses teach them to do the right thing and not to compromise on the quality of solutions.
Additionally, several PPP team members hone their skills outside of MITRE eCTF by serving as problem writers for the annual picoCTF hacking competition, in which participants from middle schoolers and their teachers to undergraduate university students learn to overcome sets of challenges from six domains of cybersecurity including general skills, cryptography, web exploitation, and forensics.
Through writing for picoCTF, PPP team members gain a unique perspective on overcoming challenges by creating hacking challenges themselves. They also give back to the cybersecurity community by helping to educate the next generation of privacy and security professionals.
“I think our students are very driven to participate, and very entrepreneurial, so this activity suits them well,” said Woo.
Members of PPP’s winning team are listed below:
-
Akash Arun – ECE Senior
-
Andrew Chong – ECE Senior
-
Aditya Desai – INI Master’s Student
-
Nandan Desai – INI Master’s Student
-
Quinn Henry – INI Master’s Student
-
Sirui (Ray) Huang – ECE/Computer Science Senior
-
Tongzhou (Thomas) Liao – ECE Senior
-
David Rudo – Computer Science Senior
-
John Samuels – INI Master’s Student
-
Anish Singhani – ECE Senior
-
Carson Swoveland – ECE Senior
-
Rohan Viswanathan – INI Master’s Student
-
Gabriel Zaragoza – Computer Science Senior