Fighting bugs: students hacking for IT security

“Fuzzy” of course can mean unfocused or fluffy. A quality perfectly embodied by the cute yellow bugs – the mascots of the IT security enthusiasts LosFuzzys at TU Graz. The students themselves, though, with their passion for information security are very focused when it comes to their goals. But in IT security games, known as “capture the flag” (CTF), they want to be right at the top – even among world-class competition. Team members understand “fuzzy” in the sense of open borders, as an invitation to non-computer-science students or school leavers to come round and check out the team. Stefan, Karl, and Roman give a glimpse into the daily life of LosFuzzys in the interview.

News+Stories: TU Graz researchers recently discovered serious security problems in computer processors: viz. Meltdown and Spectre. Is that what you do – uncover these kinds of loopholes?

Stefan: That’s going in the right direction, yes, but the researchers at the Institute of Applied Information Processing and Communications (IAIK) do it professionally and therefore much more intensively. At LosFuzzys we look at security problems in our free time. This starts with web applications, cryptography and network protocols – in other words the basis of information transmission, and ranges to system security at the software or operating system level. In short, our focus is on what software does and how it is integrated with hardware. The team dealing with Meltdown and Spectre at IAIC carries out research on the hardware itself – something we don’t do very often.

To make good software and hardware, it’s necessary to understand how someone who wants to attack you, proceeds. (Stefan)

Do LosFuzzys deal solely with software?

Roman: Mainly, yes. If at a future game, someone implements a Meltdown attack as a challenge – something not easy to set up – we would do it. Basically, the problems in these competitions come from the whole field of IT security. So it’s natural that hot topics are found in hacking competitions.

Cue hacking: so you’re on the right side of the force?

Karl: Yes, we are. In the community we usually talk in terms of white-hat- and black-hat hackers. The black hats are the baddies and the white hats are the goodies. These names come from western. The good cowboys and the sherrrifs always wear white hats, and the baddies always black hats (grins).
Stefan: To make good software and hardware, it’s necessary to understand how someone who wants to attack you, proceeds. That’s why there are constructive hackers – all completely legal. That’s very important for us. On the LosFuzzys website we have a manifesto which lays down how we behave ethically. This means that the LosFuzzys team only takes part in penetrating or cracking systems which have been specially built for this. For instance, in the course of CTF competitions or other training activities. We pursue a goal of understanding and learning, and not with the aim of causing damage.

So you’re a white-hat team which participates in competitions. So, how does it work?

Stefan: CTF competitions – capture-the-flag competitions – take place regularly. We take part every couple of weeks. In principle anyone worldwide can say “I’m now organising a competition.” Conferences, companies or other teams usually do this. We participate as LosFuzzys when the problem sounds exciting or when there’s a prize. People come together online from all over the world at international competitions, and at the end there is a high score – in other words, a ranking according to number of points. In some CTFs, the best ten teams are invited to a particular venue, where they take part against each other again. The banner over there (he indicates the wall) is from a CTF in Paris which we qualified for last year. On top of that, two people were in Singapore – we were the best European team there. But such particular on-location competitions are the exception – they mostly take place online. Usually at CTF competitions, we meet up at the LosFuzzys lab or in the IAIC seminar room, download the challenges, deal with the problem, solve it, and send the solution off.

How do you deal with challenges as a team?

Stefan: Most of the tasks need a lot of intensive work to be solved, so we work together on them. So at competitions it’s very much about exchanging information and sharing ideas. It’s much easier to acquire the necessary knowledge for challenges in a team. So we don’t just sit in front of a PC alone, we work together. In general there’s a strong social component being in the team – and we have a lot of fun with the challenge.
Karl: Cryptographic challenges, for example, are extremely exciting and fun because they’re usually mathematical puzzles. For instance, recently four of us worked on a challenge. Each person looks at the problem to get an overview, and then we draw the structure on a board and talk about it. As soon as we’ve formed an idea, we go to the computer and try it out.

How much time do you have to solve a challenge?

Roman: Most challenges take place over 24, 36 or 48 hours – so a weekend, maximum. But the whole team doesn’t work the whole weekend on the solution. Some people meet up in the morning, some only turn up in the afternoon, and we all come the next day. A team member may say, “That’s cool, I’ve got three hours free on Sunday, I’ll come for three hours.” This makes starting out easier.
Karl: That’s how I started, too. Then it grabbed my attention and I took more time for it.
Roman: The problem is, when you’re close to the solution, you bite harder and don’t want to let go. Three hours can very quickly become nine hours.

How can interested people get to know LosFuzzys?

Stefan: We also have lots of activities outside of competitions, like for example since autumn “Fuzzy Land”, a regular tournament that we hold ourselves. At Fuzzy Land you can look at the challenges online and take part. This is open to all interested persons; you don’t have to be studying at the TU Graz. You can get a lot of experience, and it’s a cool way of spending the time.
Roman: Part of the idea is to provide new members with challenges which we have made ourselves – using very simple and clear examples, so that new members can find a way into the subject matter. Since winter semester 2017/18, we’ve also offered a seminar on the topic of web security as an official course. Also, there is an open training session each Wednesday evening. It’s also open to people who are not at TU Graz, for instance for interested people who are leading up to their higher school leaving exams.

It also happens that people who haven’t done their higher school leaving exams also come to us. We want to develop this. (Roman)

What qualities do I have to have to be accepted into the LosFuzzys team?

Roman: There isn’t a formal membership. You just have to be curious, motivated. You have to be ready to inject a lot of effort and learn new things. Most team members come from the Faculty of Informatics and Biomedical Engineering. But we’ve also got physicists and electrical engineers. There are a broad range of problems and a certain amount of variation is a really good thing for us. It also happens that people who haven’t done their higher school leaving exams also come to us. We want to develop this.

Fuzzing is a technique used in software analysis, where random numbers play a role.