Home
Download

Open Source

Projects
Patches

System Integration

Notes
SRPMs

Cyber Defense Exercise

The CDX is an annual competition sponsored by the Information Assurance Directorate of the US National Security Agency which challenges a number of undergraduate institutions to design, implement, and defend a computer network against attack. The NSA builds the backbone exercise network and scoring infrastructure, acts as the competition referee, and fields a red cell with the task of compromising the confidentiality, integrity, and availability of the competitors' networks.

2017 Competition

Overview

The Exercise Directive describes the 2017 CDX. The 2017 CDX took place during a one-week competition in April.

EventDateTime
Availability scoring beganApril 10, 20171400
Attacks and confidentiality/integrity scoring beganApril 11, 20170900
Scoring endedApril 13, 20171600
All times are in Eastern Daylight Time (UTC−04:00).

The US Military Academy team network spanned 28 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows 10 operating systems; and a range of software services.

Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 150 GB drive.

Results: 2017-CDX-USMA data set

Here you will find data collected by the US Military Academy team during the 2017 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2017-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Ben Klimkowski, William Clay Moody, Joshua Bundt, and Michael Kranch. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.

Network diagram
Noah Ogrydziak maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
Packet captures; compressed size: 35 GB; MD5: 9a8d0d85d18e46ec4e2c1305bcd75d60
This data set contains packets captured by a sensor the team installed during the CDX. The capture is not complete with respect to time, but it contains all of the packets transmitted within the team's subnet during the periods the sensor was active.
Consolidated event logs; compressed size: 1.3 GB; MD5: 166852ff9644696ac9613938316c7185
This data set contains all of the log data collected by the team's centralized log system. This includes VisorFlow logs; Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and Bro logs.
Recorded compromises
The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. We provide these records here as comma-delimited text.
DNS blacklist
We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
Squid blacklist
We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
Firewall blacklist
We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
Gray-cell disk images
These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool which can convert this format into others, such as VMDK or raw.
DescriptionPre-CDX link; compressed size; MD5Post-CDX link; compressed size; MD5
Alpha, the Ubuntu workstationPre-CDX; 7.8 GB; e584346c1cb114e4c48cf53c67f499f7Post-CDX (/); 5.8 GB; f48bbbb16c208b9f753f2a11dca10a04
Post-CDX (/home); 438 MB; 69f38c1a08f1f65ea5882bdf61f94282
Beta, the CentOS workstationPre-CDX; 17 GB; 70b02b17e38560c397b01d4085dec939Post-CDX (/); 9.9 GB; ac88db8b5a2d2bf1ec9db1f819c15556
Post-CDX (/home); 111 MB; 52a0b1809fde46b2ea93b855c604ad0d
Post-CDX (/tmp); 133 MB; 4f80bbc0d9eff5f1d83518fc63c75b6c
Delta, a Windows workstationPre-CDX; 5.7 GB; 6f5f474549fb6b67f2bfb6651a800090Post-CDX; 27 GB; f163a298be8a6691fa7e42812827abd5
Gamma, a Windows workstationPre-CDX; 5.9 GB; 3f2980138ee4b0f52d9319d45fbcaeefPost-CDX; 31 GB; b0fe8b642f813a35616bf660ae7f45c7

2016 Competition

Overview

Six documents describe the 2016 CDX:

The 2016 CDX took place during a one-week competition in April.

EventDateTime
Availability scoring beganApril 11, 20161600
Attacks and confidentiality/integrity scoring beganApril 12, 20160900
Scoring endedApril 14, 20161600
All times are in Eastern Daylight Time (UTC−04:00).

The US Military Academy team network spanned 27 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows Server 2012 operating systems; and a range of software services.

Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 300 GB drive.

Results: 2016-CDX-USMA data set

Here you will find data collected by the US Military Academy team during the 2016 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2016-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.

Network diagram
Austin Herrling maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
Packet captures (April 4, 2016–April 24, 2016); compressed size: 144 GB; MD5: 1aa52ff83f2d9940092783ff8058e0f7
This data set contains packet captures collected from three Security Onion sensors that the team installed during the CDX. The sensor on eth1 captured packets from outside of our core firewall (between the firewall and external network in the diagram above), the sensor on eth2 captured packets from each of the ports on our main switch (all internal subnets except for the subnet labeled gray), and the sensor on eth3 captured packets from our end-user subnet (gray subnet).
Consolidated event logs (April 8, 2016–April 14, 2016); compressed size: 253 MB; MD5: 90e03565aafe498b5b66bef1600a9f81
This data set contains all of the log data collected by the team's centralized log system. This includes Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and NetFlow records. The data set contains 15,455,997 records and is formatted as comma-delimited text.
Recorded compromises
The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. Much of these records are duplicate reports; nonetheless, these data should contribute to the understanding of our packet captures. We provide these records here as comma-delimited text.
DNS blacklist
We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
Squid blacklist
We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
Firewall blacklist
We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
Gray-cell disk images
These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool which can convert this format into others, such as VMDK or raw.
DescriptionPre-CDX link; compressed size; MD5Post-CDX link; compressed size; MD5
Alpha, the CentOS workstationPre-CDX; 6.9 GB; 724f0b458c89e11d8b306fea50a2a233Post-CDX; 6.2 GB; 61d048a1a48e3866d5c164317f95432a
Beta, the Ubuntu workstationPre-CDX; 2.2 GB; 2a04ba0615f1bef0a8d110f204a5ad3fPost-CDX; 2.9 GB; 280919958b3406c82ba15ca1fa708f6a
Delta, a Windows workstationPre-CDX; 8.8 GB; 61fbc91bd0286d1fcaa0cf845691af4aPost-CDX; 49 GB; ce7973e38eb42ddae9977f3df8c711ef
Gamma, a Windows workstationPre-CDX; 11 GB; d5faec313efb74cdbecdf52187bbfbcaPost-CDX; 53 GB; b19fe189ccfa6556cc8e809293fd42ef

Papers

 
T.J. O'Connor, William Enck, W. Michael Petullo, and Akash Verma. PivotWall: SDN-based information flow control. In Proceedings of the Symposium on SDN Research, SOSR '18, New York, NY, USA, March 2018. ACM. [ bib ]
 
Matt Shockley, Chris Maixner, Ryan Johnson, Mitch DeRidder, and W. Michael Petullo. Using VisorFlow to control information flow without modifying the operating system kernel or its userspace. In Proceedings of the 9th ACM CCS International Workshop on Managing Insider Security Threats, MIST '17, New York, NY, USA, October 2017. ACM. [ bib | paper ]
 
Ryan Johnson, Jessie Lass, and W. Michael Petullo. Studying naïve users and the insider threat with SimpleFlow. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST '16, pages 35--46, New York, NY, USA, October 2016. ACM. [ bib | paper ]
 
W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. The use of cyber-defense exercises in undergraduate computing education. In Proceedings of the 2016 USENIX Workshop on Advances in Security Education, ASE '16, Washington, DC, USA, August 2016. USENIX Association. [ bib | paper ]
 
Leo St. Amour and W. Michael Petullo. Improving application security through TLS-library redesign. In Peter Schwabe, Jon Solworth, and Rajat Subhra, editors, Proceedings of the Fifth International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, October 2015. (30% acceptance rate). [ bib | paper ]
 
W. Michael Petullo and Joseph Suh. On the generality and convenience of Etypes. In Proceedings of the 2015 IEEE Security and Privacy Workshops, New York, NY, USA, May 2015. IEEE. [ bib | paper ]
 
Kyle V. Moses and W. Michael Petullo. Teaching computer security. In Proceedings of the ASEE Middle Atlantic Section Meeting, ASEE MidAtlantic '14, Washington, DC, USA, November 2014. ASEE. [ bib | paper ]
 
W. Michael Petullo, Jon A. Solworth, Wenyuan Fei, and Pat Gavlin. Ethos' deeply integrated distributed types. In Proceedings of the 2014 IEEE Security and Privacy Workshops, New York, NY, USA, May 2014. IEEE. [ bib | paper ]
 
W. Michael Petullo, Xu Zhang, Jon A. Solworth, Daniel J. Bernstein, and Tanja Lange. MinimaLT: Minimal-latency networking through better security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13, New York, NY, USA, November 2013. ACM. (20% acceptance rate). [ bib | slides | paper ]
 
W. Michael Petullo and Jon A. Solworth. Simple-to-use, secure-by-design networking in Ethos. In Proceedings of the 6th European Workshop on System Security, EUROSEC '13, New York, NY, USA, April 2013. ACM. (30% acceptance rate). [ bib | paper ]
 
W. Michael Petullo and Jon A. Solworth. The lazy kernel hacker and application programmer. Presentation at the 3rd ACM workshop on Runtime Environments, Systems, Layering and Virtualized Environments, March 2013. [ bib ]
 
W. Michael Petullo and Jon A. Solworth. Simple-to-use, secure-by-design networking in Ethos. Presentation at the 3rd ACM workshop on Runtime Environments, Systems, Layering and Virtualized Environments, March 2013. [ bib ]
 
W. Michael Petullo and Jon A. Solworth. Digital identity security architecture in Ethos. In Proceedings of the 7th ACM workshop on Digital Identity Management, DIM '11, pages 23--30, New York, NY, USA, October 2011. ACM. (45% acceptance rate). [ bib | paper ]
 
W. Michael Petullo and Jon A. Solworth. Rethinking operating system interfaces to support robust applications. Poster Session of the 2012 IEEE Symposium on Security and Privacy, May 2012. [ bib | paper ]
 
W. Michael Petullo and Jon A. Solworth. The Ethos project: Security through simplification. Poster Session of the 2012 USENIX Symposium on Operating Systems Design and Implementation, October 2012. [ bib ]
 
W. Michael Petullo. Let's help Johnny write robust applications, 2012. Invited talk, December 3, University of Wisconsin--Madison. [ bib ]
 
W. Michael Petullo. Rethinking Operating System Interfaces to Support Robust Network Applications. PhD thesis, University of Illinois at Chicago, Chicago, IL, USA, May 2013. [ bib | paper ]
 
W. Michael Petullo. Building custom firmware with OpenWrt. Linux Journal, 2010(196):56--61, August 2010. Belltown Media. [ bib | paper ]
 
W. Michael Petullo. Implementing encrypted home directories. Linux Journal, 2003(112), August 2003. Belltown Media. [ bib | paper ]
 
W. Michael Petullo. Encrypt your root filesystem. Linux Journal, 2005(129), January 2005. Belltown Media. [ bib | paper ]
 
W. Michael Petullo. Developing GNOME applications with Java. Linux Journal, 2005(135):72--78, July 2005. Belltown Media. [ bib | paper ]
 
W. Michael Petullo. Amateur video production using free software and Linux. Linux Journal, May 2002. Belltown Media. [ bib | paper ]
 
W. Michael Petullo. Open source telephony: a Fedora-based VoIP server with Asterisk. Red Hat Magazine, July 2008. [ bib | paper ]
 
W. Michael Petullo. From camera to website: Building an open source video streamer. Red Hat Magazine, April 2008. [ bib | paper ]
 
W. Michael Petullo. Serving Apples: Integrating Mac OS X clients into a Fedora network. Red Hat Magazine, January 2008. [ bib | paper ]
 
W. Michael Petullo. Disk encryption in Fedora: Past, present and future. Red Hat Magazine, January 2007. [ bib | paper ]
 
W. Michael Petullo. Adding encryption support to HAL: A user's experience with Fedora development. Red Hat Magazine, October 2005. [ bib | paper ]
Email: www@flyn.org — ✉ 6110 Campfire Court; Columbia, Maryland 21045; USA