The CoreTex Competitions Team from Core Security is happy to announce the *2nd Open Backdoor Hiding & Finding Contest* to be held at DEFCON 0x13 this year! Hiding a backdoor in open source code that will be subjected to the scrutiny of security auditors by the hundreds may not be an easy task. Positively and unequivocally identifying a cleverly hidden backdoor may be extremely difficult as well. But doing both things at DEFCON 0x13 could be a lot of fun! If you liked to read about exploits of C. Auguste Dupin, the devious Minister D. or even The n00b Prefect Monsieur G. [*] here's a chance to role play all of them at DEFCON using your favorite coding and code auditing techniques. Our prizes, this year, for both, the winner of the Hiding stage and the winner of the Finding stage are An USRP-1 with its RX and TX modules for samplig DC to 50Mhz (check www.ettus.com) Registration is now open at http://www.backdoorhiding.com Questions, feedback, comments and general discussion at Defcon Forum (https://forum.defcon.org/forumdisplay.php?f=603) Here are the details: Quick intro Two in one Backdoor Hiding/Finding Contest (participate in either or both): In the first stage, hiding participants provide a source code hiding a backdoor, in the second stage organizers mix the source codes with non-backdoored (placebos), and then ask finding participants to spot the placebos. Hiding participants get hiding points for being voted as a placebo and finding participants get points for spotting the placebos and negative points for false positives. Contest Description The contest includes two games: a backdoor hiding and a backdoor finding contest which are played simultaneously. This is a multi-player game, which is played in two stages. The timeline is included below. Prizes will be announced shortly. We will give prizes for both stages of the contest. Stages Stage 1 (hiding): All participants registered for the backdoor hiding game are given a set of requirements for a software program. Before the deadline, they must submit the source code for a program that fulfills these requirements plus includes a backdoor. They must also send a description explaining how to exploit the backdoor. Stage 2 (finding): All players registered are given a bundle with the different pieces of source code. To each bundle the organizers will add a few placebos (source codes that fulfill the requirements but should not include a backdoor). Before a deadline, the players must answer for each source code if they believe it includes a backdoor or not. The winners of each game are the ones that accumulate the most points. Here is the table for computing points (which can be positive or negative) for the finding contest: Finding: Scoring Table Placebo Backdoored Correctly Identified 5 (voted as placebo) 2 (voted as backdoored) Incorrectly Identified -1 (voted as backdoored) -12 (voted as placebo) For the hiding contest, it’s simpler: each time one player’s source code was voted as non-backdoored, the player is given 1 point. The participants with most points at the backdoor hiding contest will win. Same thing happens with the finding contest. The contest is not restricted to any particular programming language. However, it is part of the instructions that the “work” was commissioned by a government that needs this software and will audit it. Hence, most players will stay away from non-mainstream programming languages –since the non-backdoored programs will most probably be developed in C, C++, etc. Timeline - July 1st, we open registration at contest web site: http://www.backdoorhiding.com. - July 18th, starting of hiding stage and publication of requeriments. - August 3rd, end of hiding stage and first control of the juty. - August 4th, opening of finding stage. - August 6th, contest closing and announcement of winners. Register now, have fun and see you at DEFCON-0x13 ! [*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from the 1845 tale "The Purloined Letter" by Edgar Allan Poe -- Andres, Ariel, Carlos, Futo, Ezequiel & Pedro The CoreTex team at Core Security Technologies
