Politecnico di Torino (logo)

Design and orchestration of hardware-based Capture-the-Flag challenges for hybrid cyber-ranges

Ivan Lombardi, Teresa Torresani

Design and orchestration of hardware-based Capture-the-Flag challenges for hybrid cyber-ranges.

Rel. Paolo Ernesto Prinetto, Matteo Fornero. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

[img] PDF (Tesi_di_laurea) - Tesi
Restricted to: Repository staff only until 20 December 2025 (embargo date).
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (6MB)

The massive digitalization that is happening in many sectors implies significant cybersecurity issues; therefore, the role of cybersecurity experts is crucial in many environments. In a context where the attack surface is so large and diverse, it is important to train people to adopt multiple approaches; the knowledge of techniques on how to attack cyberspace, in fact, is as important as knowing how to defend it. For this reason, platforms known as cyber-ranges have emerged. Cyber- ranges simulate real-world environments providing virtual scenarios that offer a secure and legally compliant platform where users acquire the experience and skills to detect and eliminate cyber threats. One of the most stimulating and engaging activities offered by cyber-ranges is known as Capture the Flag (CTF) competition, which implements a gaming approach. CTFs require the players to complete as many challenges as possible in a specific amount of time by stealing as many flags as possible. A flag consists of a sequence of intentionally hidden alphanumeric characters embedded in programs or websites exposed to vulnerabilities. The challenges cover several technical, scientific, and ethical areas of cybersecurity, including cryptography, hardware security, web security, reverse engineering, programming, and many more. An interesting aspect related to the low-level implementation of cyber ranges is the technique used for automatically organizing and managing scenarios. Each scenario is dynamic, meaning that it must be instantiated and managed in a completely transparent way whenever a user needs to access it. Without an orchestration framework, the infrastructure for managing user sessions and scenarios would have to be operated manually, which would make cyber ranges very expensive and not very scalable. This thesis aims at investigating, from a theoretical and practical point of view, the usability of the orchestration language CRACK-SDL for the design and management of scenarios hosted on a hybrid cyber-range named PAIDEUSIS. CRACK-SDL is a high-level language that allows the definition of a scenario, its elements, and the relationships between them, without the need to know any implementation details, as everything is based on functional blocks. The use of a scenario definition language is particularly challenging when dealing with a hybrid cyber range, which also consists of non-virtualized hardware. Indeed, this study also goes in the direction of a customized orchestration tool for PAIDEUSIS to account for the complexity that arises from the use of real hardware. To concretize the study on the applicability of an SDL language to PAIDEUSIS, this thesis also entailed the development of a CTF scenario involving two different hardware devices that are automatically orchestrated to simulate an environment corresponding to the vault of a bank, where the flag is stored. To capture the flag, the user must compromise two physical devices, the first simulates an alarm system and the second an access control system for the vault. This thesis is a joint effort between Teresa Torresani and Ivan Lombardi. Teresa focused on the study of CRACK-SDL and on the implementation of the CTF concerning the second hardware device, while Ivan worked on the implementation of a basic orchestrator and of the CTF concerning the first hardware device.

Relators: Paolo Ernesto Prinetto, Matteo Fornero
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 74
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/25442
Modify record (reserved for operators) Modify record (reserved for operators)