The CoreTex Competitions Team from Core Security is happy to announce the 2nd Open Backdoor Hiding & Finding Contest to be held at DEFCON 0x13 this year!
Hiding a backdoor in open source code that will be subjected to the scrutiny of security auditors by the hundreds may not be an easy task. Positively and unequivocally identifying a cleverly hidden backdoor may be extremely difficult as well. But doing both things at DEFCON 0x13 could be a lot of fun!
If you liked to read about exploits of C. Auguste Dupin, the devious Minister D. or even The n00b Prefect Monsieur G. [*] here's a chance to role play all of them at DEFCON using your favorite coding and code auditing techniques.
Questions, feedback, comments and general discussion at Defcon Forum
|An USRP-1 each one :
||With its RX and TX modules for
samplig DC to 50Mhz :
Two in one Backdoor Hiding/Finding Contest (participate in either or both): In the first stage, hiding participants provide a source code hiding a backdoor, in the second stage organizers mix the source codes with non-backdoored (placebos), and then ask finding participants to spot the placebos. Hiding participants get hiding points for being voted as a placebo and finding participants get points for spotting the placebos and negative points for false positives.
The contest includes two games: a backdoor hiding and a backdoor finding contest which are played simultaneously. This is a multi-player game, which is played in two stages. The timeline is included below.
Prizes will be announced shortly. We will give prizes for both stages of the contest.
Stage 1 (hiding): All participants registered for the backdoor hiding game are given a set of requirements for a software program. Before the deadline, they must submit the source code for a program that fulfills these requirements plus includes a backdoor. They must also send a description explaining how to exploit the backdoor.
Stage 2 (finding): All players registered are given a bundle with the different pieces of source code. To each bundle the organizers will add a few placebos (source codes that fulfill the requirements but should not include a backdoor). Before a deadline, the players must answer for each source code if they believe it includes a backdoor or not.
The winners of each game are the ones that accumulate the most points. Here is the table for computing points (which can be positive or negative) for the finding contest:
|Finding: Scoring Table||Placebo||Backdoored|
|Correctly Identified||5 (voted as placebo)||2 (voted as backdoored)|
|Incorrectly Identified||-1 (voted as backdoored)||-12 (voted as placebo)|
For the hiding contest, it’s simpler: each time one player’s source code was voted as non-backdoored, the player is given 1 point. The participants with most points at the backdoor hiding contest will win.
Same thing happens with the finding contest.
The contest is not restricted to any particular programming language. However, it is part of the instructions that the “work” was commissioned by a government that needs this software and will audit it. Hence, most players will stay away from non-mainstream programming languages –since the non-backdoored programs will most probably be developed in C, C++, etc.
- July 1st, we open registration at contest web site: http://www.backdoorhiding.com.
- July 18th, starting of hiding stage and publication of requeriments.
- August 3rd, end of hiding stage and first control of the juty.
- August 4th, opening of finding stage.
- August 6th, contest closing and announcement of winners.
Register now, have fun and see you at DEFCON-0x13 !
[*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from the 1845 tale "The Purloined Letter" by Edgar Allan Poe