The Toorcon RootWars event on September 25-26, 2004, at the Manchester Grant Hyatt hotel in San Diego represented the second time the OpenInfreno team had put on the event, and the first time the OpenInfreno Open Source software had been used. It also represented a departure from an SAIC sponsored and run RootWars (they only did so in 2003, but it was expected they would do so in 2004 as well.) While SAIC did not sponsor the event, most of the team was made up of SAIC employees, and they did allow us to borrow their hardware for the event.
The RootWars game started at roughly 16:00 on Saturday, September 25th, and ran to 20:00, then started back up at 12:00 on Sunday, September 26th and ran till 17:00. The reason for the tardiness on Saturday was three fold...first, no teams had signed up until 13:00 (and we didn't get two of the three teams until after 15:00.) Second, the score-manager server had failed, and was being reimaged. And finally, the Toorcon folks had to borrow our only working projector in order to use in the conference until a suitable replacement could be obtained. While the event was supposed to begin at 12:00, it was only supposed to go until 18:00. Roughly 9 hours were available to the teams when only 11 hours were planned. Given this, the event itself went off pretty close to expected.
This year, the scorebot was agent based, with an agent running on each target, sending packets to the server for collection and scoring. Teams fought to place flags in the root directory of each target, and upon doing so, the agent caught the flag and noticed it to the scorebot. The agent worked flawlessly on a number of the targets, but either had portability problems or other issues on the rest of the targets. An additional way of scoring was added this year, in the form of a ticket server which allowed attackers to gain points by pointing out vulnerabilities in the system and instructions on how to fix those vulnerabilities.
Three teams participated in the event. Two of the teams finished the event, while the third left during the event due to sickness. The three teams participating in the event were: Team Hax0r (who participated and won last year,) Knocked Up, and Digital Revelation (who participated and came in second place last year.)
A problem that continually seems to plague the event is the fact that we bring a large number of targets only to have most of them eliminated because the scorebot couldn't properly score them. The same is true for this year, unfortunately, despite our best efforts. Out of 15 targets brought with us this time, only seven of those targets had working agents. The targets, ranging from Redhat Linux to OpenBSD, all had a number of vulnerabilities in them which allowed an attacker access to the system.
Team Digital Revelation scored the first root, on two Windows boxes. Unfortunately, because of difficulties with porting the agent software, both machines were immediately removed after the root (along with all Windows and Solaris machines.) The two Windows machines were not supposed to be online at the time, as we were having difficulties with the agent, but they were left online on accident. 40 points were awarded for the root, and another 100 were awarded for the trouble ticket provided by the attacker.
Team Hax0r had the next root, on Foobsd (a FreeBSD 4.8 box,) and held that root up until the end of the game.
Several other machines were rooted during the match, and some of the machines switched hands a number of times. The final outcome (as shown in the image below,) however, was that Digital Revelation owned 3 of the seven boxes, while Team Hax0r owned one.
The scores were extremely close between the two teams, and both teams swapped places a number of times throughout the game. The final score between the two remaining teams was 2,135 points for Team Hax0r, and 2,079 points for Digital Revelation. The teams were evenly matched, as they were last year, and it was thought that Digital Revelation would be the winner up until the last moment when Team Hax0r jetted by them, and they were unable to recover the gap between the teams.
As with every year, there were a number of problems and issues that came up which affected game play. The first, and the main one, was that our agent would compile successfully, but would not work on Windows and Solaris platforms. This was compounded by the fact that one of the teams successfully rooted two of the Windows machines during the competition, and the server was unable to record these roots. Porting will be a major thrust of upcoming development in the OpenInfreno project as we attempt to not only get it working on Windows and Solaris, but also on Irix, HP-UX, and other operating systems.
Second, the agent and agent-server didn't use any encryption while talking to one another...which needs to be fixed. The main issue here is that OpenSSL is really poorly documented, and code which should have worked fine didn't work at all, despite the long hours of debugging. The answer was a simple issue, we weren't populating the PRNG engine before using the encryption capabilities, and while this is documented some places in the documentation, it isn't discussed where it really needs to be discussed. O'Reily's encryption book has some serious bugs in the code, and some of the code won't even compile, hence the errata on their page. Other books I've come across talk about encryption from such an abstract layer, and with minimal code, that implementing anything based on their book still requires more research.
Luckily for me, one of the attendies to my talk on Sunday suggested that the best place to find out how to use OpenSSL is to review the OpenSSH source code, which is far better documented, and the OpenSSH folks have figured out all of OpenSSL's faults and wrote around them. I've been looking over the OpenSSH code and documentation, and am quite impressed. We should have something working well soon.
Another issue, dealing with portability, was testing of the code. Part of the problem was that I was implementing code so fast that folks testing the code and implementing it were having a hard time keeping up. Hopefully, we can come up with a little better way of developing and testing the code in the future that will work for both sides...since I appear to be the kingpin at the moment in development (moving too quickly with code and not sharing the information with others...
Along the same lines, testing was a bear as the equipment and infrastructure available for testing the software is just not existant. I have some lab facilities available to me to do testing of the software, but resources are extremely limited. I will be working in the near future to come up with a better lab environment for testing the software before it is used at conferences or released, and I hope that others using the code will be able to test and provide responses to changes I make in the code. If anyone has rack-mountable hardware their company is interested in getting rid of, we could really use the hardware...especially managed network switches, since we have just one for OpenInfreno at the moment, and its an Alcatel PowerLine 1000 switch, and the Alcatel a-holes want to charge me $650 just to get the default userid and password to access the $100 switch.
Finally, we are going to need to start a lot earlier for next year... I am not planning some serious rewrites, but given that we had problems this year, it will be better to start planning stuff out now for next year. Also, advertising for the game needs to be a lot stronger, and longer, so that folks know when it is, what to expect, and what they can do as far as rules and capabilities.
Participants this year offered a number of comments and suggestions, which we, for the most part, have accepted and are implementing.
We can definately call the event this year a success, with the addendum that there is a number of things we need to fix before next year.