
Microcorruption – Embedded Security CTF - lolptdr
https://microcorruption.com/login
======
tptacek
The timing here is interesting.

I wrote the kernel of Microcorruption (the emulator and the basic web
interface) as a "hack night" challenge for our team at Matasano. When we
couldn't get people to leave the office at 1:00AM that night, I decided we
should probably run it as an open CTF. I got Square to re-skin the interface
and teammates Hans and Nicholas (one of our absurdly overqualified interns) to
spend 6 months revamping the levels, and there you have it.

(Aside: I once asked Greg Brockman, then at Stripe, why Stripe's CTFs always
ended so quickly. Why would you ever take one of these things down, I
wondered? Greg told me I'd understand after a week of running it. So far as I
know, the only things that have ever caused problems for the Microcorruption
deployment were due to the log filesystem filling up.)

Anyways.

I left Matasano a year and a half ago to start Starfighter, a company based on
these kinds of games. Matasano used Microcorruption to do recruiting, but we
got so many qualified leads from it that it was sort of a waste to ever do
another one there.

As luck would have it, we just last week opened the beta test for
Starfighter's Microcorruption-style CTF. It's called Jailbreak. Here are the
change bars (design-wise; the two CTFs share no code):

\- Jailbreak is AVR and Microcorruption is MSP430. AVR is much more...
interesting... to do memory corruption on.

\- Jailbreak includes a compiler (we compile both to AVR in later levels and
to a bytecode VM that runs out of the emulator's dmem, and escaping that
interpreter is the goal of several levels). Microcorruption was just GCC.

\- Jailbreak is multiple cores, and connects to the market we use for the
Trading CTF we did in January. All the cores in Jailbreak are event-driven;
they "run" "constantly", and respond to network events. Microcorruption sort-
of kind-of rebooted with every user input.

We're beta-testing the "trainer" for Jailbreak right now, and I expect it to
be open to the public on Tuesday or Wednesday of next week (we'll open it up
when the beta testers clear all the levels, which hasn't happened yet, which
is due mostly to very bad documentation and lots of balance problems, which is
why we beta test these things). The trainer is 10 levels that are very similar
in style to Microcorruption; the full CTF will probably be out in early-mid
July.

~~~
malisper
Do you have any tips for how a company should approach building its own CTF?

~~~
tptacek
I do. I'm writing something up about this, but anyone trying to do a hiring
CTF is welcome to reach out and contact me.

Generally, the most important advice I can give is: have a clear distinction
between public CTFs, which are _outreach_ mechanisms, and work-sample
challenges, which are _qualifiers_. Don't qualify candidates with CTFs! Use
CTFs to organically pull in the sorts of developers who tend to qualify well
--- and, ideally, use work-sample challenges for all or most of that
qualification.

------
a1k0n
I wonder: Did Square/Matasano end up hiring many people from this? It was a
super fun challenge either way...

~~~
tptacek
Matasano did. I don't know what Square did. Hiring at Matasano was pretty much
defined by the Crypto Challenges, Microcorruption, and a short battery of
work-sample challenges we gave to all candidates regardless of how we found
them.

------
SyneRyder
Probably worth mentioning that Jailbreak (which has been described as
"Microcorruption dialed to 11") is nearing completion at Starfighters. I
understand it's in private beta right now.

[http://starfighters.io/](http://starfighters.io/)

~~~
tptacek
The trainer we're releasing this week is Microcorruption dialed up to about 8.
:)

------
chc4
I got sucked into this a couple months ago, and it was a blast. I had
experience with reverse engineering and creating exploits before, though, and
it ramps up way too quickly with no introduction. If I didn't already know
what to do, it would have been extremely short before I got stuck.

I'm eagerly awaiting Starfighter's analogous exploit tech path, since it's by
the same person (people?)

~~~
Retr0spectrum
I tried about a year ago and I couldn't get past the first proper level - I
just didn't grok it.

In the meantime, I've done quite a lot of CTFs, reverse engineering, binary
exploitation etc. I tried again yesterday, and I'm already up to "Algiers". I
guess that just goes to show that it isn't really suitable for absolute
beginners like I was, unless you're very perseverant.

~~~
kbenson
It's a lot to absorb without some background. I was playing it about a year
ago until I ran out of free time (still want to go back and finish), but it
brought back a lot of memories of programming assembly in college, which
probably helped.

------
sjra
Finished this a while ago - it was great fun, and I learned a lot.

I understand Square/Matasano ran it to hire people at the time - could anyone
tell me if having completed it means I can be considered able to do a job in
the field, and someone worth hiring? Or is the CTF just an introduction to the
field? I have been doing a lot of learning since, and understand there is a
vast (and endlessly fascinating) amount to learn beyond what's in the CTF -
but what level do I need to be at before I consider applying for jobs? I
remember reading that Matasano used to send candidates books to read and learn
from as part of the interview process (which just sounds like my dream
company) - as someone who would happily learn whatever it takes during the
interview process and on the job, what level do I need to be at before I even
consider applying?

~~~
tptacek
Yes, if you can finish Microcorruption and you're interested in software
security, you should consider applying for software security jobs. Most
software security practitioners can't understand, let alone write, assembly
language for any platform.

~~~
sjra
Thanks tptacek, I'm really glad to hear that! (The first part, not the
second!) That's really enough? I find it hard to believe, as that is not at
all what I see in job ads, and everyone I follow and read and learn from seems
to know so much. I was even going to hold off trying Jailbreak until I'd done
more learning and practising. But will take heart from what you said and see
what I can find. Thanks again (and for Microcorruption) - looking forward to
Jailbreak!

~~~
daeken
I'm an ex-Matasanoite and completely agree with 'tptacek. If you can complete
Microcorruption, you certainly don't know all you need to know, but you
absolutely have the skills you need to learn anything you don't already know.

~~~
hyperpower
Do you have any advice for breaking into the field? I'm nearing the completion
of a CS master and want to get into security. I completed Microcorruption a
half year ago and loved it. I'm also mostly through Cryptopals, but I don't
know anything about what the field looks like in practice. What kind of job
openings (or titles) should I be looking for?

~~~
tptacek
If you've got the crypto challenges through set 5 and finished
Microcorruption, there isn't a software security job that you should not
consider applying for. I'd bone up on web application security just so you can
have an easier time clearing interviews.

------
codepie
For a beginner in CTF, [https://picoctf.com/](https://picoctf.com/) is also a
good resource.

~~~
ymse
I enjoyed Natas[0] some years back, which is a simple and relaxed web security
(only) challenge. They have other games too, no login required.

0:
[https://overthewire.org/wargames/natas/](https://overthewire.org/wargames/natas/)

------
brudgers
I believe this was developed at Matasano Security, user tptacek's former
venture.

------
joshumax
I still have nightmares about the LockITall LockIT pro all these years
later...

------
fapjacks
"The engineers responsible have been sacked."

------
nxzero
Anyone know of a good walkthrough if you get stuck?

~~~
Retr0spectrum
With all these kinds of CTFs, the chances of being able to do the _next_ level
after you read a writeup are rather small. It's better just to come back to it
when you have more skills.

~~~
nxzero
Hard to believe that there would not be a chain of steps to gain access. Are
you saying that there are, but that the steps in this case are always bundled
and in a set series?

(Might be worth stating if in fact you've finished the CTF challenge;
otherwise, what makes you sure this is the case?)

~~~
kbenson
I think the idea is that there is such a level of understanding required to
really supply an answer that unless the walkthrough is _extremely_
informative, and you take extra time to really understand what it's
explaining, then you'll likely have problems on the next level. But yes, it
should be possibly to have a walkthrough that you can learn from. I think a
set of progressive hints would work better.

~~~
nxzero
In my opinion, having challenge without a deadline that a walkthrough or hints
are available waste interest in the topic; aka get an email, build interest,
etc.

~~~
hyperpower
You can find walkthroughs by googling a bit (I myself wrote walkthroughs for
the last 4 levels), but I'd highly recommend doing it without cheating. The
amount you learn from figuring it out yourself is exponentially more than what
you learn from reading a walkthrough. Most important is how you learn to
think, by carefully looking for vulnerabilities and examining what you have
control over and how the program uses your input.

Spend enough time learning the instruction set and the concepts involved and
the answers will become apparent.

~~~
nxzero
Learning to cheat is part of the progress, but agree that at some point Google
is not an option.

Honestly really isn't for myself, but based on experience teaching a wide
variety of people, that some people learn different ways and are more willing
to take something new on if they feel they won't break "it" (which is what the
website does) and feel there's a built-in for getting to done. Most users get
that connect the dots isn't the same as DIY, but still a option that helps
some users that would have never tried, but were interested in the topic.
Thanks for commenting.

