Research Vision

Big Learning, Small Challenges

If we cannot make learning cybersecurity easy, then we will make it fun. Many capture-the-flag (CTF) competitions are designed by elite hackers for elite hackers, but on the picoCTF team we have software engineers, system admins, artists, students, teachers, administrators, new hackers, old hackers and we make a competition for high school and middle school students. Being so close to the Plaid Parliament of Pwning (PPP), every picoCTF competition has mind-bending challenges to challenge the saltiest hacker, but that’s the end of the journey for anyone prepared enough to make it that far.

Two key aspects separate picoCTF from other CTF’s: we provide the necessary tools to solve challenges to every participant & we provide “on-ramp” challenges in almost every category. About the first point, our website includes a “web shell” that grants access to our Linux server where we have pre-installed tools that participants need to analyze and solve challenges. The upshot is that high school students with access to old hardware or non-traditional devices (such as Chromebooks) can still participate. No preparation or installation of tools is required for picoCTF. Second, about “on-ramp” challenges, our team carefully crafts challenges that slowly introduce participants to using the shell, to making use of extensive learning resources we provide, and to the traditional CTF categories themselves, namely: binary exploitation, reversing, web exploitation, forensics, cryptography. Some on-ramp challenges fall under a “general skills” category which many times are computer science concepts such as number bases or encodings which are crucial to understanding many other problems farther down the path.

Finally, as far as “fun”… not everyone is motivated by competition (though many are). We also provide a videogame each year to provide something enthralling for explorers. Participants discover problems slowly as they solve others, and the yearly competition inspires collaboration between student teams. There is no way to make every cybersecurity concept easy, but our multifaceted strategy for making learning about cybersecurity enjoyable inspires students to work together, to learn to solve seemingly intractable challenges and incidentally learn quite a bit about computers and security along the way.

Past Papers

pico-Boo!: How to avoid scaring students away in a CTF competition (2019)

Abstract: The lack of computer security experts poses a challenge for the private sector and national security. To encourage middle & high school students to learn more about cybersecurity, picoCTF was created in 2013. picoCTF is a “capture the flag” computer security exercise built on top of a video game that teaches students technical skills such as reverse engineering, forensics, cryptography, and binary exploitation. The challenges are specifically designed to be hackable and provide a safe and legal way to explore cybersecurity. Since the first competition in 2013, picoCTF has grown from around 2,000 teams to 8,000 eligible middle & high school US & CA teams and over 27,000 total global participants in the 2018 competition. Two key changes have been implemented since the competition’s inception to improve learning outcomes and increase student engagement. More introductory and intermediate difficulty problems were added to each category, gradually increasing in difficulty. Also, a new “classroom” feature was added to the competition that allows teachers to create internal scoreboards and track student progress. An analysis of the results of the 2018 competition shows that these new problems kept students engaged for more problems in the competition, and students with teachers who utilized the classrooms feature performed better than students with teachers who did not.

Full Paper

Automatic Problem Generation for Capture-the-Flag Competitions (2015)

Abstract: Computer security games, especially capture-the-flag (CTF) competitions, are growing in popularity. A typical CTF contest presents users with a set of hacking challenges, where correct solutions reveal a text “flag” that can be submitted to a scoring server. In traditional CTF architectures, the problem and the flag are the same across the competition.

In this paper we discuss automatic problem generation (APG), where a given challenge is not fixed, but rather can have many different automatically generated problem instances. APG offers players a unique competition experience and can facilitate deliberate practice where problems vary just enough to make sure a user can replicate the solution idea. APG also allows competition administrators the ability to detect when users submit a copied flag from another user to the scoring server. In 2014 we ran a large-scale CTF competition called PicoCTF, where we measured the prevalence of flag sharing. Our results indicate that about 0.8% of flags submitted to AGP problems were copied, with 14% of teams submitting at least one shared flag. In 68% of flag sharing cases, teams went on to eventually solve the problem on their own.

Full Report

PicoCTF: A Game-Based Computer Security Competition for High School Students (2014)

Abstract: The shortage of computer security experts is a critical problem. To encourage greater computer science interest among high school students, we designed and hosted a computer security competition called PicoCTF. Unlike existing competitions, PicoCTF focused primarily on offense and presented challenges in the form of a web-based game. Approximately 2,000 teams participated, with students playing for an average of 12 hours. We present the game-based competition design, an evaluation based on survey responses and website interaction statistics, and insights into the students who played. Further we have released our platform and challenges as an open source project, which has been adapted into the curricula of 40 high schools. Since its release in August of 2013, the PicoCTF platform has been used to host six other capture-the-flag competitions.

Full Report

picoCTF: Teaching 10,000 High School Students to Hack (2013)

Abstract: In the spring of 2013, two student-lead organizations, the Plaid Parliament of Pwning and Team Osiris, designed and hosted a computer security competition for high school students called picoCTF. Unlike existing competitions, picoCTF focuses primarily on offensive hacking skills presented in the form of a web-based video game to better excite students about computer science and computer security. Over the 10-day competition nearly 10,000 middle and high school students participated across almost 2,000 teams vying for $25,000 in prizes, making picoCTF, to the best of our knowledge, the largest hacking competition ever held. The competition introduced thousands of high school students to advanced topics such as the command-line interface, cryptographic ciphers, the client-server paradigm of the web, file system forensics, command injection, data representation, and program representation. picoCTF sets a new standard in scale and educational impact in pre-collegiate computer science.

Full Report

picoCTF 2013 - Toaster Wars: When interactive storytelling game meets the largest computer security competition (2013)

Abstract: Computer security competitions have become a great resource for students who are interested in computer science as a career. Most of these computer security competitions, commonly known as CTFs (Capture the Flag), are presented in a Jeopardy Board style of gameplay. This type of presentation only displays the problems and lacks a compelling storyline, interaction, or player immersion. A team of five graduate students (dubbed Team Osiris) from Carnegie Mellon University’s Entertainment Technology Center worked with Carnegie Mellon’s Hacking Club PPP to create `picoCTF,’ a computer security competition to encourage U.S. middle school and high school student’s interest in computer science. It was Team Osiris responsibility to add gamification to picoCTF; to push the game presentation beyond a static Jeopardy Board. Team Osiris created game design, art, animation, and programming around a fun, interactive story. The result of this effort was Toaster Wars, a CTF game experience. The competition took place from Apr. 26th to May 5th 2013, were almost 10,000 players participated. By adding gamification to picoCTF 2013 or Toaster Wars, players had a more immersive learning and competition experience.

Full Report