DEF CON CTF主辦單位O.O.O.(Order of the Overflow)主辦者,也同時是美國亞歷桑納州立大學資工系教授Yan Shoshitaishvili(網路暱稱Zardus)於日前參加HITCON CTF論壇時,他正式對外公開PWN Collage的開源課程。

圖片來源: 

臺灣駭客協會提供

到底要怎麼透過現在流行的CTF(搶旗攻防賽),吸引更多對資安有興趣的資安人才呢?DEF CON CTF主辦單位O.O.O.(Order of the Overflow)主辦者,也同時是美國亞歷桑納州立大學資工系教授Yan Shoshitaishvili(網路暱稱Zardus)於日前參加HITCON CTF論壇時,他正式對外公開PWN College的開源課程,這是他用來培養美國對資安有興趣入門基礎課程,透過開源方式釋出,希望可以作為全世界培育資安人才的入門教材。

而臺灣從2014年開始的「跨校資安實務課程」,參與的學校包括臺大、交大和臺科大,負責相關課程規畫的老師,臺大資工系副教授蕭旭君、交大資工系教授黃俊穎、臺科大資工系副教授鄭欣明都認為,可以引進PWN College開源課程,作為培訓資安人才的教材。

CTF是吸引資安人才入門的管道之一

Yan Shoshitaishvili本身也曾經擔任美國聖塔芭芭拉CTF戰隊多年的隊長,先前也曾經多次來臺在HITCON發表演說。這一次,則是他任教美國亞歷桑納州立大學,並組成O.O.O.團隊承辦DEF CON CTF比賽後,再度來臺參加HITCON CTF活動。

面對外界質疑到底CTF是否是一個好的培育資安人才的入門管道呢?Yan Shoshitaishvili表示,CTF的確不是最好的資安入門方式,但CTF容易吸引學生的注意力;而相較常見的Wargame,容易恍神、不專注,CTF有其吸引人的優點。

他也說,以美國各個大學組成的CTF戰隊而言,通常都是需要對資安有經驗的專業人才,必須要招募具有即戰力的成員,而且各個CTF隊伍,都需要持續有新血投入。但他在任教時則發現,如何創造一個CTF隊伍,確保有源源不絕的資安和CTF新血投入,其實是更重要的事情。

打造開源PWN College,作為資安入門課程教材

因此,Yan Shoshitaishvili有一個全新的想法,希望將打CTF需要的各種能力分類分級,每一種類別和能力規畫成一個基本課程,在亞歷桑納州立大學開了一門ASU CSE 466:Computer System Security的課程,也稱之為「PWN College」,課程內容將打CTF具備的各種基本能力,仿效電影「小子難纏」練空手道一樣,區分成四種程度:白帶就是入門級的程度,黃帶則是一般資安人才需要的基本能力,棕帶則是具有進階CTF攻擊破解能力,黑帶則是頂級的CTF人才。

PWN College仿效電影「小子難纏」的空手道分級制度,分成白帶、黃帶、棕帶和黑帶等四個層級,CTF選手至少需要具備棕帶和黑帶的能力才行。

在經過一個學期逐步的調整,他將整個PWN College課程分成九個模組,包括二進位和逆向工程等課程,都有漸進的學習曲線,每一個課程都有不同程度的大量關卡,以寫Shellcode為例,每一個階層都會比上一個階層關卡更難一點,通過這樣的關卡挑戰,都可以慢慢增進自己的程度能力。

Yan Shoshitaishvili也說,像在學習Binary二進位法時,課程的內容除了有上課的演講,參考書目,還有PWN College中大量的闖關關卡,其中的關卡模組內容包括:SUID abuse in Linux(SUID在Linux作業系統的權限誤用);Shellcoding;Sandboxing(沙箱);逆向工程(包含Keygens和Crackmes);Simple Memory Corruption(記憶體崩潰):包含Buffer Overflow(緩衝區溢位);NX and Return Oriented Programming;Format String Attacks(格式化字串攻擊);Heap Exploitation;以及Kernel Security(作業系統核心安全)。

他說,這個課程上這門課沒有任何考試,CTF闖關就是成績,從開始授課以來,學生最常遇到的問題就是「時間不夠」,每週要花十小時到四十小時學習,這門課也被稱之為「亞歷桑納州立大學最難的一門課。」。為了避免不必要的誤解,他也解釋,這個PWN College模組並沒有網路連線,只能在自己的內部環境闖關,就不會不小心攻擊到別人。

因為這是給資安初學者的入門學習課程,每個學生在Github也有自己的模組,Yan Shoshitaishvili希望透過這樣的入門學習課程,把學生的資安能力從入門的白帶提升到進階的黃帶階段。

目前,PWN College只有三十臺機器,建置在Container的平臺上,未來會持續升級,Yan Shoshitaishvili表示,這個開源專案用在教育目前都是授權免費使用,但有人問到,企業有興趣用來作內部的資安基礎訓練課程,他認為,未來可以進一步談有關企業授權方案的使用。

PWN College目前釋出Beta版,教育授權免費,企業可以付授權費使用。

 

 

Organizer of DEF CON CTF, Yan Shoshitaishvili, 
First Public Release of Open Source Course “PWN College”

                                                                                                           

PWN College has nine modules, now the academics are able to use freely, enterprise can apply for specific license.

How to use CTF to attract more attention young talent of cyber security? Organizer of DEF CON CTF, O.O.O. (Order of the Overflow), Yan Shoshitaishvili, also professor of Arizona State University Computer Science and Information Engineering Department (also known as Zardus). Lately officially released PWN College at HITCON CTF Forum. PWN College open source course is developed by Yan, and use to cultivate Americans who are interested in cyber security to have a beginner course. Yan hopes that within this course, he can encourage more people from worldwide to learn more about cyber security. And now universities in Taiwan including National Taiwan University, National Chiao Tung University and National Taiwan University of Science and Technology are excited to introduce this course to their school, as a material to train their students. 

CTF is a way to attract more cyber security professionals

Yan Shoshitaishvili was also the team leader of the CTF, team Santa Barbara USA , for years. Facing of the suspect from outside, “Is CTF really a good way to breed cyber security young talent?”. Yan Shoshitaishvili answered, honestly CTF is really not the best way starting to learn cyber security. However, CTF has more attention with students, compare to Wargame, Wargame zone out easily and lost attention, CTF has its own advantages. Yan said to build out a CTF team needs both people with experience and new blood. During his teaching career, building up a CTF team is more about keeping the new blood to join. 

Open source course “PWN College” a beginner lecture for cyber security

Therefore, Yan has a whole new idea, he hopes to classify each level and each level has its own particular course. Yan started a class in Arizona State University called “ASU CSE 466”, a Computer System Security so called “PWN College”. The course has different levels, just like the movie The Karate Kid. While practicing Karate for each level, the white belt is beginners’ level, and yellow belt is the basic for cyber security talents, brown belt as advanced with ability to attack and crash others, last the black belt is the top of cyber security talent. For CTF players, you should at least reach brown belt or black belt. 

After a semester of progressing, he divided the PWN college into 9 modules, including Binary and Reverse engineering and so on, and each has its own and different stages.  

Yan Shoshitaishviliasl said, like learning Binary, during the course not only textbook PWN also provides massive levels to be completed, such as SUID abuse in Linux, Shellcoding, Sandboxing, Reverse engineerin (including Keygens and Crackmes), Simple Memory Corruption (including Buffer Overflow), NX and Return Oriented Programming, Format String Attacks, Heap Exploitation and Kernel Security.

There isn’t any exam for this class, the levels you passed will become the records. While teaching the class, Yan discovered most students faced the problem of not having enough time. They have to spend 10 to 40 hours per week to learn. This course has been named as the most difficult course in ASU. To avoid unnecessary misunderstanding, Yan explained PWN college doesn’t have any internet connection, so you won’t be able to attack others by accident.   

Due to the course is for beginners to learn about cyber security every student in GitHub has its own module. Yan wishes from this course, students can raise their level from beginner white belt to the advanced yellow belt. 

Currently, PWN college only has 30 machines, building on the platform Container. And PWN college will keep upgrading in the future. This open source course is now freely use for academics, if enterprises are interested in the course for their cyber security training they can apply for specific license.

熱門新聞

Advertisement