Hackers of India

The Hack@DAC Story: Learnings from Organizing the World’s Largest Hardware Hacking Competition

By  Arun Kanuparthi   Hareesh Khattri   Jeyavijayan Jv Rajendran  , Jason Fung  , Ahmad Reza Sadeghi  on 18 Apr 2024 @ Blackhat

Abstract

In this talk, we will share our insights and learnings from organizing Hack@DAC, a hardware hacking competition that hosted over 1000+ researchers over the last seven years. We discuss how Hack@DAC is unique when compared against other hardware CTFs. We highlight the value of organizing a hardware CTF for the general security community. Specifically, we highlight key takeaways for industry, academia, and security researchers.

There has been a significant spike in the number of hardware vulnerabilities and cross-layer attacks in recent years, leading to increased interest and focus in this area. However, unlike software/ firmware domains, there are very few open hardware designs that detail known vulnerabilities and their mitigations. Hack@DAC CTF offers an open-source hardware design (along with a simulation environment) that mirrors the security features and weaknesses commonly seen in system-on-chip designs. Such Hardware CTFs enable academic participants to gain a deeper appreciation of the challenges involved in detecting and preventing vulnerabilities in industrial-scale designs. More importantly, CTFs help participants learn, practice, and share key skills and best practices with one another. By encouraging the formation of teams between individuals with diverse skillset, varying levels of expertise, and across organizational boundaries, CTFs offer a great community-building experience.

Next, we explain the strategies we followed to organize the competition over the last seven years and the differences when organizing a CTF for hardware vs software targets. This includes insights into how we choose the target design for the competition, how security features are added, and how vulnerabilities are inserted. We describe the two phases of the competition: an initial phase where teams get to familiarize themselves with the design and a final phase where top-performing teams are invited to do harder tasks in less time. We then share the impact the competition has had on the security research community in general.