By David Murphy
Competing in this year’s CSAW Cybersecurity Games & Conference (CSAW'23) proved to be a rewarding experience for two of KAUST’s research groups: a joint KAUST team comprising students from the Secure Next Generation Resilient Systems (SENTRY) Lab, the
Distributed Systems and Autonomy (DSA) Group and the Cyber Resilience Research (CybeResil) Group won the "Hack My Robot Challenge (HMR)."
The SENTRY team, under the supervision of Professor Charalambos Konstantinou, also secured first place in the "Embedded Systems Challenge (ESC)." It is the third year running that the SENTRY Lab have been successful at CSAW.
Celebrating its 20th year, CSAW'23—which took place from November 8–11—is the most comprehensive student-run cybersecurity event in the world. It began in 2003 as a small local competition organized by Nasir Memon, co-founder of New York University Tandon’s cybersecurity program. Since then, it has expanded to include five global academic centers hosting various cyber competitions.
An award-winning application of knowledge
First run in 2008, the ESC is the oldest hardware security competition in the world. This year’s event focused on side-channel attacks (SCAs) on cyber-physical systems (CPS). CPS are widely used across various industries and critical infrastructure systems. Even if using secure software, these systems can inadvertently leak information if configured incorrectly.
This year, teams were equipped with an open-source microcontroller board, an Arduino Uno, and a custom board featuring various peripherals to expose multiple side channels.
Upon successful completion of the qualification phase, participants advanced to the final stage. Here, the competition intensified as teams were tasked with actively identifying and exploiting SCAs within the given hardware device, the Arduino Board. The objective was to extract information, reflecting a hands-on application of students’ knowledge and skills.
Upon progression through this phase, the KAUST SENTRY team placed first in the MENA and U.S./Canada regions. In doing so, they beat off stiff competition from elite U.S. universities such as Texas A&M University, Columbia University, Purdue University and Georgia Institute of Technology.
“Participating in these challenges provided students with a firsthand experience of the consequences of SCAs and how they can potentially leak sensitive information,” Professor Konstantinou said. “This hands-on approach not only deepened their understanding of cybersecurity threats but also empowered them to develop practical solutions to safeguard against side-channel attacks.”
Many hacking competitions and educational initiatives often concentrate on general cybersecurity concepts; however, the ESC stands out by focusing on CPS’s hardware-level vulnerabilities. Integrating diverse, custom firmware versions on the Arduino Uno added a distinctive layer to the competition.
“The uniqueness of this competition lies in its specific focus on SCA within the context of CPS running on an Arduino Uno platform,” he emphasized. “Furthermore, the combination of hands-on challenges, report and poster creation and the call for participants to propose effective mitigations add a unique practical dimension, which contributes to a more comprehensive understanding of securing cyber-physical systems.”
Enhancing the University’s cybersecurity reputation
The CSAW'23 HMR Challenge aimed to raise awareness regarding the cybersecurity aspects of increasingly digitalized construction environments with a particular focus on robotics. This year’s competition focused on autonomous excavators, which can cause critical safety issues if compromised.
The competition unfolded in three stages: a selection phase where the team was queried about their knowledge and ideas regarding disrupting system behavior; a second competition stage, which required the KAUST students to apply an attack on the robot, inducing incorrect behavior within a three-hour timeframe; and a final stage, in which the students competed against five other teams to break into the system most efficiently—utilizing diverse hacking techniques like dictionary attacks, spoofing and denial-of-service attacks.
Among the five finalists, the KAUST team excelled by executing the hacking process quickly and creatively. Notably, the students achieved this feat without relying on hints from the organizers, which could have led to point reductions.
“To see my students emerge victorious is a testament to their exceptional skills, dedication and hard work,” Konstantinou noted. “The HMR Challenge provided a valuable learning opportunity about the implications of integrating cyber-physical systems among humans. Our students not only demonstrated the potential threats to company operations but also underscored the dangers to human safety when working alongside these devices.
“Furthermore, witnessing their success is a personal joy and a validation of the quality of education and training provided at KAUST. The fact that our students could outshine their international peers speaks volumes about their capabilities and the effectiveness of our research and educational programs.”
“Moreover, these victories highlight the importance of fostering a dynamic and supportive learning environment that encourages students to explore and push the boundaries of their knowledge. As a professor, it is immensely gratifying to see the results of their efforts and to know that I played a part in guiding and mentoring them on their journey. I believe these achievements not only reflect positively on the students but also enhance the reputation of KAUST in the field of cybersecurity,” he concluded.
The CSAW'23 ESC winning team:
• Li Zhou (adviser: Professor Charalambos Konstantinou, SENTRY Lab),
• Rana A. Alahmadi (adviser: Prof. Konstantinou, SENTRY Lab),
• Michał Forystek (adviser: Prof. Konstantinou, SENTRY Lab),
• Krish Chatterjie (adviser: Prof. Konstantinou, SENTRY Lab).
The CSAW'23 HMR winning team:
• Luis A. Vazquez Limon (adviser: Prof. Konstantinou, SENTRY Lab),
• Nouf Farhoud (adviser: Professor Shinkyu Park, DSA Group),
• David Alvear Goyes (adviser: Prof. Park, DSA Group),
• Erick Rodriguez E. Silva (adviser: Professor Paulo Esteves-Veríssimo, Cyber Resilience Research Group).