High School Cyber Sleuths Make it to the Big League
High schoolers aren’t usually the first responders when it comes to solving a murder. But 35 students from 10 U.S. high schools and two in Abu Dhabi had just the right skills to crack the High School Forensics (HSF) challenge, one of six major games comprising the world’s biggest student cybersecurity competition, the Cybersecurity Awareness Week (CSAW) games at the NYU Tandon School of Engineering.
Designed to give young students interested in computer security a chance to test their skills, the HSF challenge is a murder-mystery game requiring teams of students to analyze electronic evidence to solve a fictitious crime that includes a financial element including Bitcoin. Students in grades 9-12 are eligible for HSF, working in teams of up to three students. This year, a record 800 teams from across the world competed in the online preliminary round. The top 12 teams from the United States and the UAE will travel to New York to play in the NYU CSAW finals November 12-14, 2015, competing not just for the title of HSF winner, but for more than $450,000 in scholarships.
Judges and student team leaders also announced the finalists for the Applied Research Competition, which brings the best young researchers together to outline their published work, and the Policy Challenge, which this year poses the question: Should the government offer “bug bounties” the way top tech firms do to encourage hackers to find and disclose flaws in their systems?
The 2015 CSAW HSF finalist teams are:
1064CBread, Dos Pueblos High School, Goleta, California
Team members: Paul Grosen, Kenyon Prater, Kenzie Togami
Arxenix, Nashua High School South, Nashua, New Hampshire
Team members: Sahil Shah, Ankur Sundara, Aashish Welling
ASMASA, Arkansas School for Mathematics, Sciences and the Arts, Hot Springs National Park
Team members: Hayden Aud, Martin Boerwinkle, William Yang
Bletchley Park, GEMS American Academy, Abu Dhabi
Team members: Joseph Baxter, Magnus Christensen, Alec Karlsen
chicken nugger, Poolesville (Maryland) High School
Team members: Seunkyoon Bong, Karan Chawla, Matthew Feng
#freethegeese, Illinois Mathematics and Science Academy, Aurora, Illinois
Team members: Matthew Dyas, Arianna Osar, Anna Shabayev
LIGHT, Delhi Private School, Dubai
Team members: Vinamr Madan, Shobhit Narayanan, Shubham Sharma
PHS Absol, Poolesville (Maryland) High School
Team members: Parth Oza, Kevin Shen, Claude Zou
The Deductive Failures, Adlai E. Stevenson High School, Lincolnshire, IL
Team members: Alex Shi, Liyang Zhang, Austin Zhou
The Deductive Fuzzyhashers, Thomas Jefferson High School for Science and Technology, Alexandria, Virginia
Team members: Samuel Damashek, Hyo Won Kim, Fox Wilson
The Entire PHP.net Security Team, Pocono Mountain East High School, Swiftwater, Pennsylvania
Team members: Anna Kelly, Gus Naughton
The Flying Penguins, Thomas Jefferson High School for Science and Technology, Alexandria, Virginia
Team members: Samuel Kim, Eric Wang
“It’s extraordinary to see the level of interest and talent from so many young students in this first round of the High School Forensics challenge,” said Emily Wicki, a junior at the NYU Tandon School of Engineering and one of the two student leads for the HSF challenge. “This year, we launched a suite of free online resources to help students build their security skills. We can’t wait to see how they perform in the finals in November.”
Wicki and her student co-lead for HSF, Christopher Thompson, both competed in NYU CSAW while they were still in high school—Wicki’s team from Red Bank, New Jersey, won in 2011 and placed among the finalists in 2012, and Thompson was part of the Poolesville (Maryland) High School finalist team in 2013. They subsequently enrolled in the NYU School of Engineering, where they became two of the most active leaders in its student-driven cybersecurity events. When he isn’t organizing the HSF challenge during finals, Thompson will be competing in the signature 36-hour-long Capture the Flag hacking contest for undergraduates.
The CSAW judges also announced the winners of the Applied Research Competition, a contest for graduate and doctoral-level security researchers who have published papers in the past year. An esteemed pool of judges from academia and companies including Google, Facebook, AT&T, IBM, and others reviewed a record 82 submissions, selecting the 10 leading papers for presentation at CSAW.
The ten finalist papers are:
Bohatei: Flexible and Elastic DDoS Defense
Authors: Seyed K. Fayaz, Yoshiaki Tobioka, and Vyas Sekar, Carnegie Mellon University; Michael Bailey, University of Illinois at Urbana-Champaign
A Generic Approach to Automatic Deobfuscation of Executable Code
Authors: Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray, The University of Arizona
ObliVM: A Programming Framework for Secure Computation
Authors: Chang Liu, Xiao Wang, Kartik Nayak, Elaine Shi, University of Maryland; Yan Huang, Indiana University
Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration
Authors: Soo-Jin Moon, Vyas Sekar, Carnegie Mellon University; Michael K. Reiter, University of North Carolina
Type Casting Verification: Stopping an Emerging Attack Vector
Authors: Byoungyoung Lee, Chengyu Song, Taesoo Kim, Wenke Lee, Georgia Institute of Technology
Preventing Use-after-free with Dangling Pointers Nullification
Authors: Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Wenke Lee, Georgia Institute of Technology; Long Lu, Stony Brook University
AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis
Authors: Zhaoyan Xu, Robert Baykov, Guangliang Yang, Guofei Gu, Texas A&M University; Antonio Nappa, Juan Caballero, IMDEA Software Institute, Madrid, Spain
Morpheus: Automatically Generating Heuristics to Detect Android Emulators
Authors: Yiming Jing, Ziming Zhao, Gail-Joon Ahn, Arizona State University; Hongxin Hu, Clemson University
Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS
Authors: Luyi Xing, Xiaolong Bai, XiaoFeng Wang, Kai Chen, Indiana University Bloomington; Shi-Min Hu, Tsinghua University; Tongxin Li, Xinhui Han, Peking University; Xiaojing Liao, Georgia Institute of Technology
SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps
Authors: Jianjun Huang, Xiangyu Zhang, Purdue University; Zhichun Li, Xusheng Xiao, Zhenyu Wu, Guofei Jiang, NEC Labs America; Kangjie Lu, Georgia Institute of Technology
One of the newest events at CSAW is the Policy Competition. Launched in 2014, this event invites participating teams to propose public policy solutions to a real-world computer security challenges. The 2015 challenge centers on the controversial question of whether or not the United States should implement a “bug bounty” program—a system of rewards for security researchers who find vulnerabilities in major software programs and networks.
The top five teams will present their policy ideas to an expert panel of judges at the CSAW finals, who will choose one winner based on feasibility, depth of knowledge and the creativity of their approach.
The five finalist teams are:
- Carnegie Mellon University: Casey Canfield, Frankie Catota, Nirajan Rajkarnikar
- NYU School of Law: Kevin Kirby & Clay Venetis
- United States Naval Academy: MIDNs Zachary Dannelly, Max Goldwasser, William Young
- University of Connecticut: Anthony Barletta, Waldemar Cruz, Eugene Kovalev
- University of Illinois: Jonathan Roemer, Jeffrey Bigg, Magdala Boyer, Michael Burdi, Matt Loar
NYU CSAW runs from November 12-14 at the NYU Tandon School of Engineering in Downtown Brooklyn. The event is home to one of the world’s largest round-the-clock student hackathons, the CSAW Capture the Flag competition, the Embedded Security Contest that tests hardware hacking and protection skills, a fast-paced Homeland Security Trivia Quiz, speeches, seminars, networking, and an unusual Career Fair in which the employers court the attendees instead of the other way around.
Sponsors for CSAW 2015 are Gold Level—U.S. Department of Homeland Security; Silver Level—Goldman Sachs, GitHub, IBM (which will also host the welcome reception and a networking event for CTF and High School Forensics finalists), and MWR Info Security; Bronze—Facebook, FireEye, LifeLock, National Security Agency, Navy Civilian Careers-U.S. Navy, NCC Group USA, Oceans Edge Inc., Palentir, Palo Alto Networks, Qualcomm Inc., Raytheon, Two Sigma, and Yelp; Supporting Level—Accuvant, Cubic, Cypher Tech Solutions, Intel Corporation, LIFARS, MIT Lincoln Laboratory, PWC, Rakuten Loyalty, Sandia National Laboratories, and the U.S. Secret Service. The Center for Advanced Technology in Communications at NYU Tandon is a CSAW partner.
For more information or to register, visit csaw.engineering.nyu.edu.
The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn.