Each summer, members of the security community convene in Las Vegas for a week of talks, networking, and other activities at a series of conferences. At DEF CON specifically, a number of organizations host Capture the Flag (CTF) hacking competitions in which contestants either compete against each other trying to access other teams' infrastructure while defending their own ("Attack with Defense"), or by racing to rack up the most points before the contest ends with answering
Last year at DEF CON 24, the Car Hacking Village (CHV) ran its own (Jeopardy-style) CTF for the first time, specifically targeting an “intro-level” difficulty in an effort to attract new people to the field of automotive security. Among the 20 actively participating teams, Team MK ended up taking home a Black Badge.
This year, with many more organizations pitching in to help with CHVCTF (including
While we used the same Python/Flask-based CTF platform (
Zappa, Lambda, and CTFd
Over the past few years, since the introduction of mainstream cloud-based code execution environments such as AWS Lambda, people have written a number of tools and frameworks to manage their usage and integration with other services. These include projects like Serverless for Node.js and Zappa for Python/Flask that allow developers to easily deploy web applications by programmatically triggering small standalone functions in order to serve requests, rather than relying on a traditional monolithic web server instance (or even a set of containerized web
(Note that “serverless” is a somewhat misleading term; since standalone functions like AWS Lambdas are still running on and managing the creation of servers, so you can also think of these types of deployments as “Function-as-a-Service.”)
While this type of deployment isn’t ideal for all applications, in situations where it does make sense, you can often save a fair bit
For a relatively lightweight web app like
Even a standalone t2.nano (the smallest AWS EC2 general compute instance) still would have cost around $4-5 for the same period, but that would
While our work on this deployment of CTFd started at a company hackathon without a ton of time to prepare for production use at DEF CON, we enjoyed the challenge and had a better experience running the CHVCTF infrastructure than we did last year.
Stay tuned for the second part of this series, where we’ll talk about how we handled a last-minute fire...
Thanks to all of this year's CHVCTF sponsors and participants, and congratulations to Team