As security defenses in the software layer become increasingly more complex and secure, malicious agents have been searching for alternative attack vectors to bypass these defenses, such as hardware vulnerabilities. By exploiting these hardware vulnerabilities, attackers can circumvent software security measures. Given this new threat, the hardware industry is researching ways to fortify its security defenses, but there is a major problem: Lack of security engineers. Traditionally, universities have not trained students with a security mindset. To foster this security mindset and to develop the next-generation hardware security engineers, like-minded researchers have created a security competition, at the premier venue for the design and automation of electronic systems, the Design Automation Conference (DAC).
Hack@DAC is a competition in which teams compete to find security bugs in a given system-on-a-chip (SoC). This mimics the real-life scenario where security engineers must find bugs in the design given to them by the design team. The bugs can range anywhere from the leakage of secret information to allowing an attacker to corrupt data to bring down an entire system. While this all sounds exciting, there is one major issue faced by organizers in running Hack@DAC. Organizers want to use a design that mimics the real-world scenario, but no company is willing to share their designs in a public space for students to "attack." To address this challenge, two industry giants, Intel and Qualcomm have joined hands with the Hack@DAC organizers to develop an open-source SoC riddled with security bugs.
After a successful event at last year’s conference, Hack@DAC returns this year with a record-breaking 46 teams, with participants ranging from across three continents and eight countries. The competition has not only attracted academic teams, but six industry teams. This year’s competition is being held in two phases.
In Phase I (Alpha), teams were given two months to analyze the provided bug-riddled hardware design and report any security bugs found while also providing specific bug and detection information. Phase I turned out to be a massive success with 188 total bug submissions, a ~300% increase from inaugural Hack@DAC’2018 (63 bug submissions).
The bugs were scored on a scale of twenty points. Up to a total of ten points were given for the proper identification of a bug, while up to five points were earned when teams provided a proper description of a test or script to confirm the bug, and up to five more points were given for a team proposing a correct solution for the bug. A panel of well-versed judges from industry scored these bugs.
At the end of Phase I, thirteen teams have been selected as the finalists. These include 11 academic teams and one industry team. The last one is a mixed team, comprising of members from both industry and academia. The final scoreboard is available here.
In Phase II (Beta), RTL of a new buggy SoC (currently stored in a locker room of a casino) will be released to the teams in the competition room at DAC. In this room, the teams will compete in real time to find security bugs in the design and score as many points as possible by the time limit. The winning teams will be announced and given their prizes at the Hack@DAC award ceremony at 3:30 on Tuesday June 4th.
Since the teams will be too busy hacking to explain anything about their work during the contest itself, there is a special session on Tuesday June 4th in the Designer Track to disseminate the knowledge from the contest. This special session will explain the details of the buggy open-source SoC used in the contest, and the top-scoring teams will give presentations on the techniques they successfully used to find security bugs in the SoC.
One final event Hack@DAC will be presenting is at 3:00pm at the DAC Pavilion. This will be a live Demo involving the famous IoT botnet Mirai attack. The demo will show how the Mirai malware works on real IoT devices, e.g., IP cameras. It will illustrate the attack process step by step to explain the attack mechanisms as well as the consequences in detail for each attack stage. Stop by the DAC Pavilion on Wednesday and enjoy this lively demo.
We look forward to seeing all of you at DAC and reminder check out the current scoreboard.
Hack@DAC is a competition in which teams compete to find security bugs in a given system-on-a-chip (SoC). This mimics the real-life scenario where security engineers must find bugs in the design given to them by the design team. The bugs can range anywhere from the leakage of secret information to allowing an attacker to corrupt data to bring down an entire system. While this all sounds exciting, there is one major issue faced by organizers in running Hack@DAC. Organizers want to use a design that mimics the real-world scenario, but no company is willing to share their designs in a public space for students to "attack." To address this challenge, two industry giants, Intel and Qualcomm have joined hands with the Hack@DAC organizers to develop an open-source SoC riddled with security bugs.
After a successful event at last year’s conference, Hack@DAC returns this year with a record-breaking 46 teams, with participants ranging from across three continents and eight countries. The competition has not only attracted academic teams, but six industry teams. This year’s competition is being held in two phases.
In Phase I (Alpha), teams were given two months to analyze the provided bug-riddled hardware design and report any security bugs found while also providing specific bug and detection information. Phase I turned out to be a massive success with 188 total bug submissions, a ~300% increase from inaugural Hack@DAC’2018 (63 bug submissions).
The bugs were scored on a scale of twenty points. Up to a total of ten points were given for the proper identification of a bug, while up to five points were earned when teams provided a proper description of a test or script to confirm the bug, and up to five more points were given for a team proposing a correct solution for the bug. A panel of well-versed judges from industry scored these bugs.
At the end of Phase I, thirteen teams have been selected as the finalists. These include 11 academic teams and one industry team. The last one is a mixed team, comprising of members from both industry and academia. The final scoreboard is available here.
In Phase II (Beta), RTL of a new buggy SoC (currently stored in a locker room of a casino) will be released to the teams in the competition room at DAC. In this room, the teams will compete in real time to find security bugs in the design and score as many points as possible by the time limit. The winning teams will be announced and given their prizes at the Hack@DAC award ceremony at 3:30 on Tuesday June 4th.
Since the teams will be too busy hacking to explain anything about their work during the contest itself, there is a special session on Tuesday June 4th in the Designer Track to disseminate the knowledge from the contest. This special session will explain the details of the buggy open-source SoC used in the contest, and the top-scoring teams will give presentations on the techniques they successfully used to find security bugs in the SoC.
One final event Hack@DAC will be presenting is at 3:00pm at the DAC Pavilion. This will be a live Demo involving the famous IoT botnet Mirai attack. The demo will show how the Mirai malware works on real IoT devices, e.g., IP cameras. It will illustrate the attack process step by step to explain the attack mechanisms as well as the consequences in detail for each attack stage. Stop by the DAC Pavilion on Wednesday and enjoy this lively demo.
We look forward to seeing all of you at DAC and reminder check out the current scoreboard.
Add new comment