Accession Number:



AutoCTF: Creating Diverse Pwnables via Automated Bug Injection

Descriptive Note:

Technical Report

Corporate Author:

MIT Lincoln Laboratory Lexington United States

Report Date:


Pagination or Media Count:



Capture the Flag CTF is a popular computer security exercise in which teams compete one against the other to attack andor defend programs in real time. CTFs are currently expensive to build and run each is a bespoke affair, with challenges and vulnerabilities crafted by experts. This limits both educational value for players and what researchers can learn from them about the human activities such as vulnerability discovery and exploitation. In this work, we take steps towards making CTFs cheap and reusable by extending our LAVA bug injection system to add exploitable vulnerabilities, enabling rapid generation of new CTF challenges. New LAVA bug types, including a memory corruption and an address disclosure, form a sufficient set of primitives for program exploitation in most cases. We used these techniques to create AutoCTF, a week-long event involving teams from four universities. For evaluation, we conducted surveys and semi-structured interviews after the event to understand how AutoCTF differed from a handmade CTF, assessing not only challenge realism and difficulty but also the relative effort expended on bug finding and exploit development. Our preliminary results indicate that AutoCTF can form the basis for cost-effective and reusable CTFs, allowing them to be run often and easily to train new generations of security researchers as well as provide empirical data on human vulnerability discovery and exploit development.

Subject Categories:

  • Computer Systems
  • Computer Systems Management and Standards

Distribution Statement: