For educators, a key challenge lies in designing experiences that invite students to explore creative applications of what they know as a means to solving a semi­-structured, or even unstructured, problem. Passive exercise (e.g., that tell students what to do or provide a series to commands to run) rarely hold learners attention or engage them in ways that promote mastery of the subject, and do not promote independence in learning. On the other hand, for students to become lifelong learners, it is imperative that they take responsibility for their own professional development beyond the classroom. Toward that end, we have embarked on an effort to create an engaging, fun, challenge-­based tournament that provides learners with material that holds their interest and engage them in ways that encourages independent or team­-based learning through an active exercise. The exercise is built on the belief that in order to advance cybersecurity education, we must provide platforms that allow individual learners to perform tasks in ways that are most similar to the real­-world environment for which they are preparing.

Specifically, in this short talk, we introduce a challenge-­based game framework called Riposte¹ built to support active learning exercises in protocol and binary reverse engineering. In Riposte, student learners are challenged to find ways to defeat automated clients (that, for example, collude against the learner) in a top-­down multi­-player shooter game. As the learners’ skills improve (e.g., by reaching different levels in the game), the automated clients also adapt their offensive strategies, thereby forcing the learner(s) to enhance their own skills to reach the next level. To stay atop the leaderboard, learners can choose to collaborate to accomplish several tasks, including taking advantage of weak client authentication, abusing weaknesses in data confidentiality to decrypt client-­server messages, leveraging weaknesses in integrity protections (e.g., via bit-­flipping attacks) to unmask new game functionality, mapping network messages to game play, redirecting code paths, etc. For educators, the framework provides mechanisms that allow for a fresh version of the game client to be downloaded every time client connects to the game server, thereby encouraging learners to design automated ways to patch a new client or adapt their existing (modified) client in ways that still abide to the learned protocol specifications. For educators, we also provide a simplified language for writing the automated clients, ways to support formation of teams, hints for learners, game documentation, all within IEEE’s Try-­CybSI web platform. We also report on our experience using Riposte as part of a semester-­long tournament at our home institution.

________
¹The term for a counterattack or quick retaliatory move in fencing.

Dr. Nadia Carlsten is the program manager for the Transition to Practice (TTP) program in the Cyber Security Division (CSD) of the Homeland Security Advanced Research Projects Agency in the DHS S&T. The TTP program identifies promising federally funded cybersecurity research and accelerates transition from the laboratory to the marketplace through partnerships and commercialization. Prior to her position in CSD, Dr. Carlsten led projects to improve Intellectual Property (IP) management and enterprise innovation, drive research and industrial partnerships, and promote technology transfer and commercialization at Accenture and the U.S. Department of Energy. She also is the founder of Carlsten Innovation LLC, a consultancy that specializes in providing services and solutions for implementing Open Innovation, leveraging IP, and quantifying innovation. She completed the Management of Technology Program at the Haas School of Business and earned degrees in physics and chemistry from the University of Virginia and a doctorate in engineering from the University of California, Berkeley.

Reed Sturtevant is a General Partner at The Engine, a technology venture fund launched by MIT. Reed was a Managing Director at seed venture fund Project 11 and Techstars Boston. He attended MIT and has a background in software. He ran Microsoft Startup Labs in Cambridge and was VP of Technology at Idealab, Boston. Early in his career he created Freelance Graphics which was acquired by Lotus Development Corp. He has been a lecturer at MIT Sloan and is a frequent speaker in MIT entrepreneurship courses and programs.

Chris Wysopal is Co-Founder, Chief Technology Officer at Veracode, which he co-founded in 2006. He oversees technology strategy and information security. Prior to Veracode, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990’s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software. Chris received a BS in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

John Steven is the Senior Director of Security Technology and Applied Research at Synopsys, with two decades of hands-on experience in software security. Mr. Steven’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, Mr. Steven has provided strategic direction as a trusted adviser to many multinational corporations. Mr. Steven’s keen interest in automation keeps Synopsys technology at the cutting edge. Prior to acquisition by Synopsys, he was CTO and founder of Codiscope, a startup where he led the research and development of next-generation eLearning and static analysis products for developers. He also served as internal CTO of Cigital, the largest independent software security consulting firm prior to its acquisition. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. He speaks with regularity at conferences and trade shows. Mr. Steven holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.

Stephen Boyer is the cofounder and CTO of BitSight Technologies. BitSight provides evidence-based ratings of security effectiveness to help organizations manage their security risk. Previously, Stephen was President & Cofounder of Saperix. He also led R&D programs at MIT Lincoln Laboratory, and he designed, developed, and tested products at Caldera Systems. He holds a Bachelors in Computer Science from BYU and Master of Science in Engineering and Management from MIT.

The panel will be moderated by Dr. Robert Cunningham of MIT Lincoln Laboratory. Dr. Cunningham is the leader of the Secure Resilient Systems and Technology Group and is responsible for initiating and managing research and development programs in cyber resilience and computer security. He also chairs the IEEE Cybersecurity Initiative.

Send advance questions to the Panel through twitter by referencing #IEEESecDev.