The Need
5 minute read
“Sharing is caring” they said… they were wrong. Sometimes, isolating things can get spicy, but it implies replicating infrastructures. If someone soft-locks its challenge, it would be its entire problem: it won’t affect other players experience. Furthermore, you could then imagine a network challenge where your goal is to chain a vulnerability to a Man-in-the-Middle attack to get access to a router and spy on communications to steal a flag ! Or a small company infrastructure that you would have to break into and get an administrator account ! And what if the infrastructure went down ? Then it would be isolated, other players could still play in their own environment. This idea can be really productive, enhance the possibilities of a CTF and enable realistic -if not realism- attacks to take place in a controlled manner.
This is the Challenge on Demand problem: giving every player or team its own instance of a challenge, isolated, to play complex scenarios. With a solution to this problem, players and teams could use a brand new set of knowledges they could not until this: pivoting from an AWS infrastructure to an on-premise company IT system, break into a virtual bank vault to squeeze out all the belongings, hack their own Industrial Control System or IoT assets… A solution to this problem would open a myriad possibilites.
The existing solutions
As it is a widespread known limitation in the community, people tried to solve the problem. They conceived solutions that would fit their need, considering a set of functionalities and requirements, then built, released and deployed them successfully.
Some of them are famous:
- CTFd whale is a CTFd plugin able to spin up Docker containers on demand ;
- CTFd owl is an alternative to CTFd whale ;
- KubeCTF is another CTFd plugin made by DownUnderCTF to spin up Kubernetes environments ;
- Klodd is a rCTF service made to spin up Kubernetes environments.
Nevertheless, they partially solved the root problem: these solutions solved the problem in a given context (Docker, Kubernetes), with most of the time a Domain Specific Language (DSL) that does not guarantee non-vendor-lock-in nor ease use and testing, and lack functionalities such as Hot Update.
An ideal solution to this problem require:
- the use of a programming language, not a DSL (non-vendor-lock-in and functionalities) ;
- the capability to deploy an instance without the solution itself (non-vendor-lock-in, way to test manually) ;
- the capability to use largely-adopted technologies (e.g. Terraform, Ansible, AWS, Kubernetes, etc.) ;
- the genericity of its approach to avoid re-implementing the solution for every service provider (functionalities).
Before Chall-Manager, there was no solution that would fit these specifications.
Grey litterature survey
Follows an exhaustive grey litterature survey on the existing solutions and their approach to the Challenge on Demand problem. To enhance it please open an issue or a pull request, we would be glad to improve it !
| Service | CTF platform | Genericity | Technical approach | Scalable |
|---|---|---|---|---|
| CTFd whale | CTFd | ❌ | API wrapper around Docker | ❌¹ |
| CTFd owl | CTFd | ❌ | API wrapper around Docker | ❌¹ |
| KubeCTF | Agnostic, CTFd plugin | ❌ | Use Kubernetes API and annotations | ✅ |
| Klodd | rCTF | ❌ | Use Kubernetes CRDs and a microservice | ✅ |
| HeroCTF's deploy-dynamic | CTFd | ❌ | API wrapper around Docker | ❌¹ |
| 4T$'s I | CTFd | ❌ | Use Kubernetes CRDs and a microservice | ✅ |
| offsecginger's CTFd-Docker-Challenges | CTFd | ❌ | API wrapper around Docker | ❌¹ |
| Punk Security's CTFd-ECS-Challenges | CTFd | ❌ | Create AWS ECS tasks to host Docker containers | ✅ |
¹ not considered scalable as it reuses a Docker socket thus require a whole VM. As such a VM is not scaled automatically (despite being technically feasible), the property aligns with the limitation.
Classification for Scalable:
- ✅ partially or completfully scalable. Classification does not goes further on criteria as the time to scale, autoscaling, load balancing, anticipated scaling, descaling, etc.
- ❌ only one instance is possible, or a cluster is technically feasible yet requires expertise.
Litterature
More than a technical problem, Chall-Manager also provides a solution to a scientific problem. In previous approaches for cybersecurity competitions, many referred to an hypothetic generic approach to the Challenge on Demand problem. None of them introduced a solution or even a realistic approach.
In these approaches to Challenge on Demand, we find:
- “PAIDEUSIS: A Remote Hybrid Cyber Range for Hardware, Network, and IoT Security Training”, Bera et al. (2021) provide Challenge on Demand for Hardware systems (Industrial Control Systems, FPGA).
- “Design of Remote Service Infrastructures for Hardware-based Capture-the-Flag Challenges”, Marongiu and Perra (2021) related to PAIDEUSIS, with the foundations for hardware-based Challenge on Demand.
- “Lowering the Barriers to Capture the Flag administration and Participation”, Kevin Chung (2017) in which it is a limitation of CTFd, where picoCTF has an “autogen” challenge feature.
- “Automatic Problem Generation for Capture-the-Flag Competitions”, Burket et al. (2015) discusses the problem of generating challenges on demand, regarding fairness evaluation for players.
- “Scalable Learning Environments for Teaching Cybersecurity Hands-on”, Vykopal et al. (2021) discusses the problem of creating cybersecurity environments, similarly to Challenge on Demand, and provide guidelines for production environments at scale.
- “GENICS: A framework for Generating Attack Scenarios for Cybersecurity Exercices on Industrial Control Systems”, Song et al. (2024) formulates a process to generate attack scenario applicable in a CTF context, technically possible through approaches like PAIDEUSIS.
Conclusions
Even if there are some solutions developed to help the community deal with the Challenge on Demand problem, we can see many limitations: only Docker, Kubernetes and AWS ECS are covered, and none is able to provide the required genericity to consider other providers, even custom and private ones.
A production-ready solution would enable the community to explore new kind of challenges, both technical and scientific.
This is why we invested in creating Chall-Manager: provide a free, open-source, generic, non-vendor-lock-in and ready-for-production solution.
What’s next ?
How we tackled down the complexity of building this system, starting from the genericity layer.