High School Cyber Sleuths Make it to the Big League

Students at CSAW

High schoolers aren’t usually the first responders when it comes to solving a murder. But 35 students from 10 U.S. high schools and two in Abu Dhabi had just the right skills to crack the High School Forensics (HSF) challenge, one of six major games comprising the world’s biggest student cybersecurity competition, the Cybersecurity Awareness Week (CSAW) games at the NYU Tandon School of Engineering.

Designed to give young students interested in computer security a chance to test their skills, the HSF challenge is a murder-mystery game requiring teams of students to analyze electronic evidence to solve a fictitious crime that includes a financial element including Bitcoin. Students in grades 9-12 are eligible for HSF, working in teams of up to three students. This year, a record 800 teams from across the world competed in the online preliminary round. The top 12 teams from the United States and the UAE will travel to New York to play in the NYU CSAW finals November 12-14, 2015, competing not just for the title of HSF winner, but for more than $450,000 in scholarships.

Judges and student team leaders also announced the finalists for the Applied Research Competition, which brings the best young researchers together to outline their published work, and the Policy Challenge, which this year poses the question: Should the government offer “bug bounties” the way top tech firms do to encourage hackers to find and disclose flaws in their systems?

The 2015 CSAW HSF finalist teams are:

  • 1064CBread, Dos Pueblos High School, Goleta, California
    Team members: Paul Grosen, Kenyon Prater, Kenzie Togami

  • Arxenix, Nashua High School South, Nashua, New Hampshire
    Team members: Sahil Shah, Ankur Sundara, Aashish Welling

  • ASMASA, Arkansas School for Mathematics, Sciences and the Arts, Hot Springs National Park
    Team members: Hayden Aud, Martin Boerwinkle, William Yang

  • Bletchley Park, GEMS American Academy, Abu Dhabi
    Team members: Joseph Baxter, Magnus Christensen, Alec Karlsen

  • chicken nugger, Poolesville (Maryland) High School
    Team members: Seunkyoon Bong, Karan Chawla, Matthew Feng

  • #freethegeese, Illinois Mathematics and Science Academy, Aurora, Illinois
    Team members: Matthew Dyas, Arianna Osar, Anna Shabayev

  • LIGHT, Delhi Private School, Dubai
    Team members: Vinamr Madan, Shobhit Narayanan, Shubham Sharma

  • PHS Absol, Poolesville (Maryland) High School
    Team members: Parth Oza, Kevin Shen, Claude Zou

  • The Deductive Failures, Adlai E. Stevenson High School, Lincolnshire, IL
    Team members: Alex Shi, Liyang Zhang, Austin Zhou

  • The Deductive Fuzzyhashers, Thomas Jefferson High School for Science and Technology, Alexandria, Virginia
    Team members: Samuel Damashek, Hyo Won Kim, Fox Wilson

  • The Entire PHP.net Security Team, Pocono Mountain East High School, Swiftwater, Pennsylvania
    Team members: Anna Kelly, Gus Naughton

  • The Flying Penguins, Thomas Jefferson High School for Science and Technology, Alexandria, Virginia
    Team members: Samuel Kim, Eric Wang

“It’s extraordinary to see the level of interest and talent from so many young students in this first round of the High School Forensics challenge,” said Emily Wicki, a junior at the NYU Tandon School of Engineering and one of the two student leads for the HSF challenge. “This year, we launched a suite of free online resources to help students build their security skills. We can’t wait to see how they perform in the finals in November.”

Wicki and her student co-lead for HSF, Christopher Thompson, both competed in NYU CSAW while they were still in high school—Wicki’s team from Red Bank, New Jersey, won in 2011 and placed among the finalists in 2012, and Thompson was part of the Poolesville (Maryland) High School finalist team in 2013. They subsequently enrolled in the NYU School of Engineering, where they became two of the most active leaders in its student-driven cybersecurity events. When he isn’t organizing the HSF challenge during finals, Thompson will be competing in the signature 36-hour-long Capture the Flag hacking contest for undergraduates.

The CSAW judges also announced the winners of the Applied Research Competition, a contest for graduate and doctoral-level security researchers who have published papers in the past year. An esteemed pool of judges from academia and companies including Google, Facebook, AT&T, IBM, and others reviewed a record 82 submissions, selecting the 10 leading papers for presentation at CSAW.

The ten finalist papers are:

  • Bohatei: Flexible and Elastic DDoS Defense
    Authors: Seyed K. Fayaz, Yoshiaki Tobioka, and Vyas Sekar, Carnegie Mellon University; Michael Bailey, University of Illinois at Urbana-Champaign

  • A Generic Approach to Automatic Deobfuscation of Executable Code
    Authors: Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray, The University of Arizona

  • ObliVM: A Programming Framework for Secure Computation
    Authors: Chang Liu, Xiao Wang, Kartik Nayak, Elaine Shi, University of Maryland; Yan Huang, Indiana University

  • Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration
    Authors: Soo-Jin Moon, Vyas Sekar, Carnegie Mellon University; Michael K. Reiter, University of North Carolina

  • Type Casting Verification: Stopping an Emerging Attack Vector
    Authors: Byoungyoung Lee, Chengyu Song, Taesoo Kim, Wenke Lee, Georgia Institute of Technology

  • Preventing Use-after-free with Dangling Pointers Nullification
    Authors: Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Wenke Lee, Georgia Institute of Technology; Long Lu, Stony Brook University

  • AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis
    Authors: Zhaoyan Xu, Robert Baykov, Guangliang Yang, Guofei Gu, Texas A&M University; Antonio Nappa, Juan Caballero, IMDEA Software Institute, Madrid, Spain

  • Morpheus: Automatically Generating Heuristics to Detect Android Emulators
    Authors: Yiming Jing, Ziming Zhao, Gail-Joon Ahn, Arizona State University; Hongxin Hu, Clemson University

  • Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS
    Authors: Luyi Xing, Xiaolong Bai, XiaoFeng Wang, Kai Chen, Indiana University Bloomington; Shi-Min Hu, Tsinghua University; Tongxin Li, Xinhui Han, Peking University; Xiaojing Liao, Georgia Institute of Technology

  • SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps
    Authors: Jianjun Huang, Xiangyu Zhang, Purdue University; Zhichun Li, Xusheng Xiao, Zhenyu Wu, Guofei Jiang, NEC Labs America; Kangjie Lu, Georgia Institute of Technology

One of the newest events at CSAW is the Policy Competition. Launched in 2014, this event invites participating teams to propose public policy solutions to a real-world computer security challenges. The 2015 challenge centers on the controversial question of whether or not the United States should implement a “bug bounty” program—a system of rewards for security researchers who find vulnerabilities in major software programs and networks.

The top five teams will present their policy ideas to an expert panel of judges at the CSAW finals, who will choose one winner based on feasibility, depth of knowledge and the creativity of their approach. 

The five finalist teams are:

  • Carnegie Mellon University: Casey Canfield, Frankie Catota, Nirajan Rajkarnikar
  • NYU School of Law: Kevin Kirby & Clay Venetis
  • United States Naval Academy: MIDNs Zachary Dannelly, Max Goldwasser, William Young
  • University of Connecticut: Anthony Barletta, Waldemar Cruz, Eugene Kovalev
  • University of Illinois: Jonathan Roemer, Jeffrey Bigg, Magdala Boyer, Michael Burdi, Matt Loar

NYU CSAW runs from November 12-14 at the NYU Tandon School of Engineering in Downtown Brooklyn. The event is home to one of the world’s largest round-the-clock student hackathons, the CSAW Capture the Flag competition, the Embedded Security Contest that tests hardware hacking and protection skills, a fast-paced Homeland Security Trivia Quiz, speeches, seminars, networking, and an unusual Career Fair in which the employers court the attendees instead of the other way around.

Sponsors for CSAW 2015 are Gold Level—U.S. Department of Homeland Security; Silver Level—Goldman Sachs, GitHub, IBM (which will also host the welcome reception and a networking event for CTF and High School Forensics finalists), and MWR Info Security; Bronze—Facebook, FireEye, LifeLock, National Security Agency, Navy Civilian Careers-U.S. Navy, NCC Group USA, Oceans Edge Inc., Palentir, Palo Alto Networks, Qualcomm Inc., Raytheon, Two Sigma, and Yelp; Supporting Level—Accuvant, Cubic, Cypher Tech Solutions, Intel Corporation, LIFARS, MIT Lincoln Laboratory, PWC, Rakuten Loyalty, Sandia National Laboratories, and the U.S. Secret Service.  The Center for Advanced Technology in Communications at NYU Tandon is a CSAW partner.

For more information or to register, visit csaw.engineering.nyu.edu.

The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn.