An information page for the Internet Security & Privacy Summer School
Lexi Pimenidis
One item at the very core of computer security is the field of software vulnerabilities [1]. Their presence is due to missing knowledge, false assumptions, or time pressure of any person in the process of designing, creating, installing, or simply: using programs [2]. The effect of a bug can be as vast as allowing any entity with the knowledge of its existence to take over the computer running the vulnerable software and force it to do arbitrary actions. Finding and exploiting errors in computer systems is of varying degree. It can range from trivial as in the case of most web applications [3], to tremendous difficult reverse engineering challenges which require in depth knowledge of hardware, OS, and applications.
In an security exercise like a "Capture the Flag" (CTF) [4], participants are taught the basic skills in order to take a first view behind the scenes of defending and attacking computer systems. In a closed environment each group of players is given a virtual server running multiple applications containing typical security related flaws. It is the task of the players to find these flaws - and use these to gain control of the other players' servers. In an aftermath to the game, a selected set of vulnerabilities and exploits will be disclosed to the players and discussed in as much depth as time remains.
[1] http://en.wikipedia.org/wiki/Vulnerability_(computer_science)
[2] http://www.acsa-admin.org/2001/papers/110.pdf
[3] e.g. http://packetstormsecurity.org/0707-exploits/joomla-sql.txt ,
http://www.securityfocus.com/bid/17526/info and many more
[4] http://www.cipher-ctf.org/, http://www.cs.ucsb.edu/~vigna/CTF/