XCTF Finals 2017第三届XCTF国际联赛总决赛规则
  • 第一条
    通过第三届XCTF国际联赛各站选拔赛选拔16支国内外战队入围总决赛,每支战队现场参赛人数不超过4人,每支战队需自主开发AI辅助自动化漏洞挖掘工具,在比赛现场服务器部署AI工具,配合战队一同参与XCTF Finals 2017。
  • 第二条
    XCTF Finals 2017赛程为北京时间9月11-13日三天(暂定),举办城市为北京,每天比赛从09:00至17:00,其中Day1部署AI程序和平台测试,Day2采用AI工具独立地自动化进行漏洞发现与挖掘、人类战队基于AI工具发现漏洞信息进行漏洞利用的解题(Jeopardy)赛制;Day3上午9:00-下午16:00采用AI工具辅助战队进行互攻互守的攻防(Attack & Defense)赛制;Day3下午16:00 - 17:00进行分享交流和颁奖仪式。
  • 第三条
    主办方命题,Linux指定发行版本上共计X道二进制服务漏洞挖掘与利用(Pwn)作为Day2解题赛赛题,每个赛题的基准分均为1000分,分漏洞检测环节500分和漏洞利用环节500分,采用动态计分制(即队伍解题越多,则分值越低,该题得分=500/(解出队伍数量+9)*10)。主办方选择若干道Day2赛题,并补充2道新题目,共Y道赛题环境,进入Day3攻防赛。
  • 第四条
    比赛赛题与CTF的PWN题相似,通过标准输入输出交互,并绑定到一个网络端口,部署环境为Ubuntu 16.04版本。我们提供近十年Linux操作系统上的500个CVE漏洞软件源码包集合(如使用请自主编译部署,并编写wrapper将程序的输入输出对接到标准输入输出并绑定网络端口),以及本届XCTF联赛部分PWN题二进制文件,作为AI漏洞挖掘工具的参考测试样本集,可以在http://202.112.51.152:8080/下载获取,仅供参考使用,参赛队伍可以使用自己收集或编写的样本集测试(欢迎共享:-))。
  • 第五条
    Day2解题赛规则
    (1)每道赛题部署多个虚拟机服务器实例,在比赛平台的赛题描述中提供虚拟机服务器实例地址列表和状态,同一时间主办方通过运维尽量保证2个及以上实例可用。但每个实例存在访问限制,选手应先尝试本地测试,测试成功后向服务器发送测试流量。
    (2)AI工具和战队独立隔离参赛(战队用自己AI工具部署在服务器上,只可进行开机操作,每个AI提供三次重启机会),各自携带主办方赛前分配的token对赛题环境进行访问,战队接入网段不允许访问自己和其他队伍的AI工具部署服务器。
    (3)战队接入网段初始状态无法访问任何一台赛题服务器,对比赛平台上所有赛题也都无法查看。
    (4)AI工具接入网段则可以访问所有赛题服务器,并对于二进制服务漏洞挖掘赛题可通过比赛平台在开赛后下载到所以赛题二进制可执行文件。
    (5)AI工具需要自动化地从比赛平台获取赛题描述、赛题二进制可执行文件、赛题环境服务器IP/Port;通过AI工具的自动化分析尝试触发漏洞点,二进制服务漏洞触发以PoC输入样本可触发赛题环境服务的Crash崩溃或泄露特定信息(对0x23330000地址做读操作)为检测条件,当某战队的AI工具成功触发某个赛题漏洞点,则获得该赛题的动态分(如1个队伍解出,则为500分),并开放对应战队对该赛题描述和服务环境的访问权,同时战队可获得触发赛题漏洞点的PoC输入,进行后续漏洞利用环节。
    (6)战队如成功对赛题漏洞点进行利用并获得Flag,则获得该赛题漏洞利用环节的动态分(同样以500分为基准分)。
    (7)解题赛结束后,以每支战队得分情况加上攻防赛基准分Y * 500分作为第二天攻防赛每个战队的初始分。
    (8)解题赛结束后,主办方会公布在解题赛使用且会应用在攻防赛的赛题,并提供赛题二进制文件。
  • 第六条
    Day3攻防赛规则
    (1)主办方选择若干道Day2赛题,第二天补充2道赛题,共计Y道题目进入Day3攻防赛,Day2赛后即对所有战队开放赛题描述、二进制文件等,每支队伍拥有一套独立的赛题环境,进行相互的攻防操作。
    (2)队伍和AI工具配合进行漏洞挖掘和利用,队伍可以访问AI工具所在的系统并对AI工具进行调校、结果分析,利用AI工具发现的漏洞进行攻击利用和修补防御,也允许队伍人工进行漏洞挖掘。
    (3)攻防赛各战队初始分值为基准分Y * 500分加上解题赛得分,采用传统“零和游戏”规则,每5分钟一回合(主办方在比赛最后时刻可决定缩短回合时间),如战队某个服务被攻陷被窃取Flag,则扣除15分,由其他获得并提交Flag的战队平分;如战队某个服务Checker异常,则同样扣除15分,由其他该服务正常的战队平分;每个回合结束后计算该回合得失分情况,并按轮更新战队分值和排名。
    (4)对于每个队伍的每个赛题,设置最多可扣分值为 500分+解题赛该题得分 (500 - 1500分)分值,如扣完则该赛题不再失分,其他队伍也无法从该队伍该赛题得分。
  • 第七条
    主办方基于token对队伍流量进行审计,如发现违反规则的访问或者可疑的作弊行为,不允许攻击比赛平台和网络影响比赛正常进行,调查证实后将对战队进行警告甚至取消比赛资格。
  • 第八条
    XCTF Finals名次以最终比赛得分进行排名,决出冠军(1st Place Winner,奖金2万美元,税后10万元人民币)、亚军(2nd Place Winner,奖金1万美元,税后5万元人民币)、季军(3rd Place Winner,奖金5000美元,税后2.5万元人民币),一等奖(Meritorious Winner,3队,XCTF logo的礼品),二等奖(Honorable Mentions,4队,XCTF logo的礼品),总决赛入围奖(Final Participant 6队)。
  • 第九条
    AI服务器配置如下:CPU: 6 Core * 2 HT; RAM: 36GB; DISK: 1TB SATA。
示例API已开放,请访问 http://202.112.51.152:5000/ 获取更多信息。
如有问题请在本页留言或直接与主办方联系(xctf@xctf.org.cn)

XCTF 2017 -- The 3rd XCTF International League Finals Rules
  • 1
    16 teams will be qualified for the Finals from the 3rd XCTF League Qualifiers. Up to 4 players in each team for the onsite contest. The qualified teams are required to develop automated vulnerability discovering tools by themselves. These tools will be deployed on servers in the competition site, and participant in XCTF Finals 2017 with the teams.
  • 2
    The three-day XCTF Finals 2017 will take place in September,11-13, in Beijing. Day 1: 09:00a.m. – 05:00p.m. Platform testing and AI tool deployment, Day 2: 09:00a.m. – 17:00p.m. Jeopardy style CTF, based on information generated by AI automated vulnerability discovering. During the vulnerability discovering process, AI works independently. Human team members can only access to challenges which have been crashed by their AI. Day3 : 9:00am - 16:00pm Attack & Defense style CTF, AI is auxiliary. Day3 16:00pm-17:00pm, Forum to share the AI design, Award Ceremony.
  • 3
    We set total X PWNs on designated Linux Release as challenges for Day 2’s Jeopardy. Each challenge values 1000 base points(500 vulnerability discovering points + 500 vulnerability exploitation points). Dynamic point mechanism is used, which means, the more times a challenge is solved, the less points this challenge values. Value of A Challenge = 500 / (solved count + 9) *10. Some challenges in day 2 will be chosen to use in day 3, and 2 new challenges will be extended, totally there are Y challenges in day 3.
  • 4
    The challenges used in the Day 2 Contest are similar to the PWN challenges in the traditional CTFs: ie. the challenges are interacted through standard IO pipe and are bound to a network interface, the deploy environment is Ubuntu 16.04. We provide the source code packages of 500 CVE Vulnerabilities on recent 10-year Linux platform (if you want to use them as test cases, then you need to compile and deploy the vulnerable software, and develop the wrapper to pipe the program IO to standard IO, and then bind to the network interface), and some PWN challenge binaries of XCTF qualifying contests this year, as the reference test case dataset for your developed AI vuln discovery tool, the dataset can be downloaded at http://202.112.51.152:8080/. NOTE the dataset is just only for reference and not for necessary usage. The teams are suggest to collect and code their own test cases to test their AI tool, and welcome to share the dataset if you wants.
  • 5
    Day 2: Jeopardy Rules
    (1) Several VM server instances are deployed for per challenge. Description of challenges, including address and status of VM server instances, are displayed on contest platform. Sponsor provide maintenance of the platform to guarantee that at least 2 instances are available at the same time.
    (2) Teams are isolated from their AI (The only operation that teams can take on their AI is demanding organizer reboot the AI server for 3 times). Teams access to the contest environment with previously distributed tokens. The access subnet has no access to AI servers.
    (3) Teams cannot access to any challenge server or explore any challenge information on contest platform during the network accessing initial period.
    (4) AI subnet has access to all challenge servers, and can download binary files of PWN challenges from contest platform when the game starts.
    (5) AI tools obtain the description, the binary file and the access IP/Port from the competition platform automatically. Vulnerabilities are triggered by the AI tool’s automated analysis. When an AI tool successfully triggers a crash or information leak (a read operation on 0x23330000) of the challenge service: (a)the team gets the Discovering Dynamic Points (500 points in the initial), (b) the team members gain access permission to the challenge environment, (c) the team members get the AI tool’s PoC which triggered the crash.
    (6) If one team succeeds in exploiting the vulnerability and gaining the flag, they gain the Exploiting Dynamic Points(also 500 points in the initial).
    (7) When the day 2 game ends, each team gets Y * 500 extra points as the initial point of day 3.
    (8) When the day 2 game ends, challenges which are released in day 2 and will be used in day 3 game will be announced, and the binaries will be distributed to all teams.
  • 6
    Day 3: Attack and defense (A&D) tournament rules
    (1)Some challenges in day 2 will be chosen to use in day 3, and 2 new challenges will be extended. Before the A&D tournament start, all the challenges' description, binary files, etc. are open to all teams. Each team’s has a set of isolated environments to run these challenges.
    (2)Team members and AI tools work together to discovery and exploit the vulnerabilities. Team members have full access to their AI tools.
    (3)Each team’s initial score in day 3 is base points (challenge count * 500) plus team score of day 2, using zero-sum game rules, 5 minutes per round(organizer can reduce the minutes per round in the last stage of the contest). One team was deduct 15 points when it’s flag captured or challenge service down, and the 15 points are equally divided to other teams. Teams’ points and ranking are recalculated at the end of each round.
    (4)Each team’s each challenge service can be deducted up to 500 + points gained in day2( 500-1500 points). The team will not lose point when maximum reached.
  • 7
    Organizers will audit the team’s network traffic based on the team’s token. Please adhere to a few simple rules: No cooperation between teams with independent accounts. Sharing of flags or providing revealing hints to other teams is cheating, don’t do it. No attacking the competition infrastructure. If bugs or vulns are found, please alert the competition organizers immediately. No brute forcing of challenge flag/ keys against the scoring site.
  • 8
    Final ranks are screened by game scores of participants. Awards are: 1st Place Winner (1 team, 20K USD Dollars 20% tax included), 2nd Place Winner (1 team, 10K USD Dollars 20% tax included), 3rd Place Winner (1 team, 5K USD Dollars 20% tax included), Meritorious Winner (3 teams, Gifts with XCTF logo), Honorable Mentions (4 teams, Gifts with XCTF logo), Final Participation (6 teams).
  • 9
    AI server specification:CPU: 6 Core * 2 HT; RAM: 36GB; DISK: 1TB SATA.
Sample APIs are now openning. Visit http://202.112.51.152:5000/ for more information.
If you have any questions, please leave messages or send emails to xctf@xctf.org.cn.

登录后才能发贴或参与互动哦! 点击登录

全部评论 (1)

MAgy 2019-07-12 16:06:40
ccccccccccccccccccc
回复
请先登录 0 +1 已点过赞