Hackathon and Design Jam take place starting at 13.00 and end at 16.00.
Please sign up here: https://forms.gle/2Cfbu93AS29kLtPz7
The goal of the Hackathon is to dive into how to understand and find, in practice, cybersecurity vulnerabilities in product code. All teams can choose one of the problems to address.
The prerequisites for the Hackathon is that you know how to program and have at least one other person in your team.
Problem 1: Finding Selected CVEs in the product code
In this problem, we try to write a program that will go through the code for an OSS operating system (Azure RTOS), and finds two selected CVEs.
Imagine that you are writing a code for this product – are there any vulnerabilities of this kind in my code? How to find them? How to show that there are “potential” vulnerabilities of similar kind?
Code to analyze: Azure RTOS (github.com)
CVEs to find (you can also find more CVEs, or even choose other ones):
- QNX Neutrino Rtos : List of security vulnerabilities (cvedetails.com)
- CVE-2004-1390 : Multiple buffer overflows in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allow remote attackers to execute arbitrary code v (cvedetails.com)
Success criteria: The team is done when they can present a set of lines/blocks of code in the Azure RTOS, which can potentially expose these threats. You should both demonstrate the code and show a short presentation.
The teams are allowed to use both own scripts, tools available on the internet or any combination of these.
Tips: since these CVEs are memory-related, finding memory handling code could be a good start.
Problem 2: Finding which CVEs are applicable for a given product
In this problem, we try to parse the CVE database and find which CVEs are applicable, based on their description, content, code, etc. The team can choose themselves how to make the match.
To make this a little more concrete:
- let’s say that we use this product: Azure RTOS (github.com)
- Pick any part of the code (max 100 LOC)
- Classify them into a category that can be relevant for a CVE (e.g. signature handling)
- Find the CVEs based on that category in https://cvedetails.com
Since the time is limited, we probably cannot make the API calls to the CVE database, so a manual input of a search string produced by the program is also ok.
Success criteria: The team is done when they can present a set of CVEs from the database, which are relevant for the code. They need to describe why these CVEs are relevant.
- 13.15: Introduction to the topic
- 13.25 – 15.30: Hackathon
- 15.30 – 16.00: Presentation of the solutions
The goal of the Design Jam is to raise awareness of how to handle security from a perspective of product and process management, not the software development side.
In the design jam, the participants will play a game: Elevation of Privilege Threat Modelling Game
13:15 – 16:15 Design Jam
- 13:15 – 13:25 Introduction
- 13:25 – 13:35 Microsoft SDL practices
- 13:35 – 13:45 Cybersecurity metrics
- 13:45 – 16:15 Elevation of Privilege Threat Modeling Cyber Security Card Game
- 13:45 – 14:15 Explanation of rules & award
- 14:15 – 15:30 Game time (gloves off) 😊
- 15:30 – 16:00 Reflections – debriefing
- 16:00 – 16:10 Celebrating award winners