[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hiding Backdoors in plain sight, again

The CoreTex Competitions Team from Core Security is happy to announce
the *2nd Open Backdoor Hiding & Finding Contest* to be held at DEFCON
0x13 this year!

Hiding a backdoor in open source code that will be subjected to the
scrutiny of security auditors by the hundreds may not be an easy task.
Positively and unequivocally identifying a cleverly hidden backdoor may
be extremely difficult as well. But doing both things at DEFCON 0x13
could be a lot of fun!

If you liked to read about exploits of C. Auguste Dupin, the devious
Minister D. or even The n00b Prefect Monsieur G. [*] here's a chance to
role play all of them at DEFCON using your favorite coding and code
auditing techniques.

Our prizes, this year, for both, the winner of the Hiding stage and the
winner of the Finding stage are
An USRP-1 with its RX and TX modules for samplig DC to 50Mhz (check

Registration is now open at http://www.backdoorhiding.com

Questions, feedback, comments and general discussion at Defcon Forum

Here are the details:

Quick intro

Two in one Backdoor Hiding/Finding Contest (participate in either or
both): In the first stage, hiding participants provide a source code
hiding a backdoor, in the second stage organizers mix the source codes
with non-backdoored (placebos), and then ask finding participants to
spot the placebos. Hiding participants get hiding points for being voted
as a placebo and finding participants get points for spotting the
placebos and negative points for false positives.
Contest Description

The contest includes two games: a backdoor hiding and a backdoor finding
contest which are played simultaneously. This is a multi-player game,
which is played in two stages. The timeline is included below.

Prizes will be announced shortly. We will give prizes for both stages of
the contest.

Stage 1 (hiding): All participants registered for the backdoor hiding
game are given a set of requirements for a software program. Before the
deadline, they must submit the source code for a program that fulfills
these requirements plus includes a backdoor. They must also send a
description explaining how to exploit the backdoor.

Stage 2 (finding): All players registered are given a bundle with the
different pieces of source code. To each bundle the organizers will add
a few placebos (source codes that fulfill the requirements but should
not include a backdoor). Before a deadline, the players must answer for
each source code if they believe it includes a backdoor or not.

The winners of each game are the ones that accumulate the most points.
Here is the table for computing points (which can be positive or
negative) for the finding contest:

Finding: Scoring Table	Placebo	Backdoored
Correctly Identified	5 (voted as placebo)	2 (voted as backdoored)
Incorrectly Identified	-1 (voted as backdoored)	-12 (voted as placebo)

For the hiding contest, it’s simpler: each time one player’s source code
was voted as non-backdoored, the player is given 1 point. The
participants with most points at the backdoor hiding contest will win.

Same thing happens with the finding contest.

The contest is not restricted to any particular programming language.
However, it is part of the instructions that the “work” was commissioned
by a government that needs this software and will audit it. Hence, most
players will stay away from non-mainstream programming languages –since
the non-backdoored programs will most probably be developed in C, C++, etc.

- July 1st, we open registration at contest web site:

- July 18th, starting of hiding stage and publication of requeriments.

- August 3rd, end of hiding stage and first control of the juty.

- August 4th, opening of finding stage.

- August 6th, contest closing and announcement of winners.

Register now, have fun and see you at DEFCON-0x13 !

[*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from
the 1845 tale "The Purloined Letter" by Edgar Allan Poe

Andres, Ariel, Carlos, Futo, Ezequiel & Pedro
The CoreTex team at Core Security Technologies