A Design for a Collaborative Make-the-Flag Exercise

  • Matt BishopEmail author
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 531)


Many people know how to compromise existing systems, and capture-the-flag contests are increasing this number. There is a dearth of people who know how to design and build secure systems. A collaborative contest to build secure systems to meet specific goals—a “make-the-flag” exercise—could encourage more people to participate in cybersecurity exercises, and learn how to design and build secure systems. This paper presents a generic design for such an exercise. It explores the goals, organization, constraints, and rules. It also discusses preparations and how to run the exercise and evaluate the results. Several variations are also presented.



Thanks to Dan Ragsdale of Texas A&M University and Kara Nance of the Virginia Polytechnic Institute and State University for helpful discussions. The author gratefully acknowledges support of the National Science Foundation under Grant Numbers DGE-1303211 and OAC-1739025, and a gift from Intel Corporation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, Intel Corporation or the University of California at Davis.


  1. 1.
  2. 2.
    Adams, W.J., Gavas, E., Lacey, T., Leblanc, S.: Collective views of the NSA/CSS cyber defense exercise on curricula and learning objectives. In: Proceedings of the Second Workshop on Cyber Security Experimentation and Test. USENIX Association, Berkeley, August 2009.
  3. 3.
    Anderson, R.: Why information security is hard–an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference. IEEE Computer Society, Los Alamitos, December 2001.
  4. 4.
    Anderson, R., Moore, T.: Information security economics – and beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007). Scholar
  5. 5.
    Conklin, A.: The use of a collegiate cyber defense competition in information security education. In: Proceedings of the Second Annual Conference on Information Security Curriculum Development, pp. 16–18. ACM, New York, September 2005.
  6. 6.
    Cowan, C., Arnold, S., Beattie, S., Wright, C., Viega, J.: DefCon capture the flag: defending vulnerable code from intense attack. In: Proceedings of the 2003 DARPA Information Survivability Conference and Exposition. IEEE Computer Society, Los Alamitos, April 2003.
  7. 7.
    Hoffman, L.J., Rosenberg, T., Dodge, R., Ragsdale, D.: Exploring a national cybersecurity exercise for universities. IEEE Secur. Priv. 3(5), 27–33 (2005). Scholar
  8. 8.
    Leban, B., Bendre, M., Tabriz, P.: Web application exploits and defenses (2017).
  9. 9.
    Linde, R.R.: Operating system penetration. In: Proceedings of the AFIPS 1975 National Computer Conference, pp. 361–268. ACM, New York, May 1975.
  10. 10.
    Mullins, B.E., Lacey, T.H., Mills, R.F., Trechter, J.M., Bass, S.D.: How the cyber defense exercise shaped an information-assurance curriculum. IEEE Secur. Priv. 5(5), 40–49 (2007). Scholar
  11. 11.
    Pusey, P., Gondree, M., Peterson, Z.: The outcomes of cybersecurity competitions and implications for underrepresented populations. IEEE Secur. Priv. 14(6), 90–95 (2016). Scholar
  12. 12.
    Pusey, P., OBrien, C.W., Lightner, L.: Preparing for the collegiate cyber defense competition (CCDC): a guide for new teams and recommendations for experienced players. National Cyberwatch Center, Largo, January 2015.
  13. 13.
    Vigna, G.: Teaching network security through live exercises. In: Irvine, C., Armstrong, H. (eds.) Security Education and Critical Infrastructures. IFIPAICT, vol. 125, pp. 3–18. Springer, Boston (2003). Scholar
  14. 14.
    Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., Shoshitaishvili, Y.: Ten years of iCTF: the good, the bad, and the ugly. In: Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education. USENIX Association, Berkeley, August 2014.
  15. 15.
    Werther, J., Zhivich, M., Leek, T., Zeldovich, N.: Experiences in cyber security education: the MIT Lincoln laboratory capture-the-flag exercise. In: Proceedings of the Fourth Workshop on Cyber Security Experimentation and Test. USENIX Association, Berkeley, August 2011.

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.University of California at DavisDavisUSA

Personalised recommendations