Research Vision
Big Learning, Small Challenges
If we cannot make learning cybersecurity easy, then we will make it fun. Many capture-the-flag (CTF) competitions are designed by elite hackers for elite hackers, but on the CyLab Security Academy team we have software engineers, system admins, artists, students, teachers, administrators, new hackers, old hackers and we make a competition for high school and middle school students. Being so close to the Plaid Parliament of Pwning (PPP), every CyLab Security Academy competition has mind-bending challenges to challenge the saltiest hacker, but that’s the end of the journey for anyone prepared enough to make it that far.
Two key aspects separate CyLab Security Academy from other CTF’s: we provide the necessary tools to solve challenges to every participant & we provide “on-ramp” challenges in almost every category. About the first point, our website includes a “web shell” that grants access to our Linux server where we have pre-installed tools that participants need to analyze and solve challenges. The upshot is that high school students with access to old hardware or non-traditional devices (such as Chromebooks) can still participate. No preparation or installation of tools is required for CyLab Security Academy. Second, about “on-ramp” challenges, our team carefully crafts challenges that slowly introduce participants to using the shell, to making use of extensive learning resources we provide, and to the traditional CTF categories themselves, namely: binary exploitation, reversing, web exploitation, forensics, cryptography. Some on-ramp challenges fall under a “general skills” category which many times are computer science concepts such as number bases or encodings which are crucial to understanding many other problems farther down the path.
Finally, as far as “fun”… not everyone is motivated by competition (though many are). We also provide a videogame each year to provide something enthralling for explorers. Participants discover problems slowly as they solve others, and the yearly competition inspires collaboration between student teams. There is no way to make every cybersecurity concept easy, but our multifaceted strategy for making learning about cybersecurity enjoyable inspires students to work together, to learn to solve seemingly intractable challenges and incidentally learn quite a bit about computers and security along the way.
Past Papers
pico-Boo!: How to avoid scaring students away in a CTF competition (2019)
Abstract: The lack of computer security experts poses a challenge for the private sector and national security. To encourage middle & high school students to learn more about cybersecurity, picoCTF was created in 2013. picoCTF is a “capture the flag” computer security exercise built on top of a video game that teaches students technical skills such as reverse engineering, forensics, cryptography, and binary exploitation. The challenges are specifically designed to be hackable and provide a safe and legal way to explore cybersecurity. Since the first competition in 2013, picoCTF has grown from around 2,000 teams to 8,000 eligible middle & high school US & CA teams and over 27,000 total global participants in the 2018 competition. Two key changes have been implemented since the competition’s inception to improve learning outcomes and increase student engagement. More introductory and intermediate difficulty problems were added to each category, gradually increasing in difficulty. Also, a new “classroom” feature was added to the competition that allows teachers to create internal scoreboards and track student progress. An analysis of the results of the 2018 competition shows that these new problems kept students engaged for more problems in the competition, and students with teachers who utilized the classrooms feature performed better than students with teachers who did not.