Italian CyberChallenge: the experience of the University of Cagliari team

(To Alessandro Rugolo)

In the past we have given space to the activity called CyberChallenge.IT, with an article that explained the subject of the tender and the selection procedures and announced the final phase for the June 27.
Now, after a few months we can draw conclusions but we have decided to do it together with the boys of one of the participating teams: the University of Cagliari team coordinated by Professor Giorgio Giacinto (1) and by Doctor Davide Maiorca (2) in quality of coach.

Let's start by getting to know the participants. Can you introduce yourself in a few lines? Who are you? What do you study?

My name is Lorenzo Pisu, I have 20 years and I am studying in the computer science course at the University of Cagliari.
I am Matteo Cornacchia and I am also enrolled in the computer science course at the University of Cagliari.
My name is Francesco Meloni, I have a degree in computer engineering and I am enrolled in a master's degree in Computer Engineering, Cybersecurity and Artificial Intelligence at the University of Cagliari.
I'm Daniele Pusceddu, I have 19 years and I have to do the last year of high school at the Scano Industrial Technical Institute in Cagliari, IT department.

Congratulations guys, I know it didn't go very well but I'm sure the next year will be better. To begin with we want to know what it feels like to take part in such a particular team race. What feelings did you feel? What prompted you to participate?

Participating in the race was an experience that put us to the test, surely there is a lot of adrenaline and a huge mental effort but it was a very positive experience and great growth both in terms of skills and on a personal level. I think the main reason we participated is to get involved, so I'd do it again!

For me the main motivation was certainly my curiosity already present in the field of Cybersecurity.
Within the courses, but above all in the phases of preparation and national competition, I had the opportunity to confront myself with people from the most varied backgrounds but with many common passions.

For me, the initiative was above all a precious opportunity to expand my knowledge not only of computer security, but also of the environment, both in terms of competition, and for the institutional and private realities that surround it. I can say without a shadow of a doubt that the program as a whole is the most valuable extracurricular experience I have ever attended.

The aspect that prompted me to participate was undoubtedly the desire to test myself and learn many technical aspects of computer security in a dynamic and competitive environment. The experience was configured in itself as a challenge that extensively tested my technical and teamwork skills. I am now great for the age target of the initiative, but considering my path and that of my team-mates throughout the Cyber ​​Challenge, I think that for boys still in high school or at the beginning of university it is an unmissable opportunity to make a big leap in terms of knowledge and skills in information security.

Now let's talk about the organizational aspect. How did you get organized? Did you appoint a leader? How did you make the decisions?

From the organizational point of view we were mainly divided based on roles
established before the race thanks to the precious advice of our coach Davide,
so we didn't find a leader among us, we made the decisions by communicating
and in keeping with what was established before the race.

Within the team of four people, we divided the individual tasks according to the skills acquired and the confidence in using the toolkit produced during the short preparation phase.

In this way the decisions were presented, and consequently were taken, by the person who had the most ability to select the appropriate response.

After the creation of the team we established tasks to organize the construction of a toolkit that would automate the sending of attacks on services in the context of the tender and which proved to be a successful tool. During the competition we were divided into work groups by two people who analyzed the services preferred by each couple. The attacks that were being written were automatically routed to the network by the toolkit that was implemented.

What was the most difficult aspect of the race? I'm not just talking about the final phase but the whole race, starting from the beginning of the selections.

The most difficult aspect of the race is perhaps finding the strength of will to never give up, sometimes it happens to be faced with enormous problems, both during the final race and during the selections, after hours of attempts to solve them, you get frustrated but you have to keep trying always, just so you can get results.

From my personal point of view, the part that by far presented itself as the most difficult along the way was not so much the individual technique, but the ability to make the most of the individual skills of the group members during the final phase.
Undoubtedly, the field that played a decisive role in the national final was the experience in the competition format and in teamwork in general.

Universities that did not have a pre-existing CTF reality (not necessarily exclusive to the CyberChallenge), having less than a month to coordinate and prepare an appropriate toolset, were faced with an essentially insurmountable deficit of competence.
In our case, the uniqueness of the situation made the experience particularly valuable for our training.

For me the most difficult aspect of the race was certainly the analysis needed to understand the functioning of the programs and the identification of attack vectors. Often, given the structure of the services, the modules were lost and vulnerability was sought with difficulty in the source code, when it was sometimes much more easily identified by a functional analysis of the program and its behavior. Once the attack vector was found, a feature common to all the tests was the fact that the exploit mode did not lead back to standard or known modes, but was often ad hoc for the service.

What did the final test consist of?

The final race consists of an Attack and Defense in which the various teams all have the same vulnerable machine to defend in which there are contents of the flags that are strings of text that if stolen allow the opponents to earn points. Each team attacks others by exploiting vulnerabilities and at the same time tries to defend itself against the attacks of other teams by correcting or "patchando" the vulnerabilities of its own machine.

In practice, each team receives an identical virtual machine. The purpose of the CTF is to analyze the intentionally vulnerable services present on the machine, and use this information to attack the machines of the opponents and at the same time protect themselves from the attacks of others.

Each team had a server with the same services exposed to the outside. These services (which could be websites as well as executables), had vulnerabilities. The first phase of the race, that of defense, consisted in finding these vulnerabilities with the aim of adjusting them to make one's system unassailable and in turn understand how to exploit them during the attack on the opponents.

You were very clear. But now tell me: have you thought about how to improve performances for next year? Do you plan to participate again? Will you be able to tell your young people about your experience at the University?

Yes, at the end of the race we gave an account of what went well and what
could be improved, this was perhaps the most important goal of the race, to improve.
Furthermore, these reports help us prepare for other competitions in which we will participate. We think and hope that we will have the opportunity to tell the experience to the youngest, it is a very important thing, we have not had the luck to have someone who had already participated in the past editions so we hope that our experience can be of help to those who will participate after us.
This was the first year that the University of Cagliari participated in the CyberChallenge.
Undoubtedly, this year's experience will have an even deeper meaning for those who will have the opportunity to try their hand in the CyberChallenge of next year.
Following the events of this year, a team was created with which we intend to participate in future CTFs with the support of children, teachers and support staff of the competition just ended.
As for me, I hope that our past and present experiences can serve as a springboard for future participants of similar initiatives in Cagliari.
Our team was the first to take on this challenge. The support therefore came only from our instructors. After the Cyber ​​Challenge the group of students who participated in the course was consolidated and training sessions are organized on various types of challenges. We count on these workouts to improve performance over the next few years, providing more support to new members and a stronger and stronger experience base. Having followed the Cyber ​​Challenge path to the end, if I have the opportunity I will be happy to tell my experience to motivate the future participants to engage in this experience with the same passion that I have matured.

Finally I am curious to know what you plan to do at the end of your studies. The cyber world in Italy needs experts, how do you plan to proceed to prepare for work? Has participation in CyberChallenge.IT opened any new paths for you?

Surely an important part of the preparation for the world of work is study, without a solid foundation it is difficult to grow in a work environment. Taking part in CyberChallenge.IT has certainly opened up new avenues for the future, both from a business and a scholastic point of view.
Within the CyberChallenge we have had the opportunity to confront ourselves, both locally and nationally, with the most disparate working and research realities, united by the demand for fans of the sector.

Surely it was an experience that opened my eyes to opportunities of which I was not aware, allowing me also to explore options I was already familiar with. However, for each door that opens, the selection criteria expand.
In short, I have no idea.

If you were to advise a freshman on the course of study to follow, what would you suggest?

Our advice for a freshman is to take advantage of opportunities during the course
of studies can be presented to try to get rich as much as possible, occasions like
CyberChallenge.IT should be seized immediately and allow you to find out which way is most suitable.

Cybersecurity is a field that is not only extremely vast but requires a higher level of basic competence than many scientific disciplines in the same area of ​​training.
Beyond the indispensable academic training advanced in the field of Information Technology or related discipline, anyone interested in this course of study must have constant motivation and proactivity in their individual development.

How do you see the future of Italy regarding the cyber dimension? If you had to make a suggestion to our decision makers, what would you say?

We need to invest in young people and we must offer them opportunities that can make their skills stand out from the classical course of study
In my opinion, initiatives like the CyberChallenge have an extraordinary potential long-term impact on employment and cyber security in the entire nation.
I hope to be able to attend similar initiatives, and to strengthen existing ones, even in the years to come.

Congratulations guys, the spirit is the right one, so good luck to the whole team, to your tutors and to those who will follow you.
But the compliments also go to the organizers of the edition. If the kids are satisfied they owe it to those who have made so much effort to put the competition together. Of course it does not end here so we look forward to seeing you next year.
Thank you guys…

(1) Giorgio Giacinto is professor of computer engineering at the University of Cagliari
(2) Davide Maiorca is a researcher in computer engineering at the University of Cagliari