This year's challenge will focus on side channel attacks (SCA) on cyber-physical systems (CPS). SCAs are important to understand as they leak information from systems that are running proven secure software and CPSs are prevalent in industry and many other areas of society. Competitors will demonstrate their skills through a qualification phase and a challenge phase. In the Challenge phase teams will be using an Arduino Uno based CPS that has various firmware that exposes several side channels.
The ESC23 competition is divided into two phases:
-
A preliminary qualification phase, where teams must compile and submit a short written report. The report should discuss side channels applicable to CPS, different attack approaches, and different mitigations that can be put in place to prevent side channel leakage. This includes examples of attacks, how one could perform the attacks, and mitigations for the described attacks.
-
A final phase, where qualified teams are provided an Arduino Uno based CPS that exposes several side channels. Participants will investigate each variation of the system and attempt to exploit any side channels found. This involves successfully finding and exploiting side channels to gain information about the given CPS. The methods used should be repeatable and consistent.
See below for more details on the requirements of each phase.
For the qualification phase, teams should submit a short report that outlines approaches, techniques, and mitigations (not only one approach/technique) to attack CPSs with SCAs. The best approaches will include a discussion of existing techniques, a clear outline of attack methodologies, and a discussion of how the methodologies can be mitigated.
Qualification phase reports will be evaluated by a team of experts, and will take into account the correctness and creativity of reported techniques, as well as the completeness and quality of the compiled report.
The final phase will be graded as follows:
- 50% of the final score will be correctness. The points awarded in this section are based on successfully finding, exploiting, and mitigating the provided SCA challenges and depend on the difficulty of each challenge. The awarded points will be determined systematically by the global organizers and the expert judges.
- 20% of the score will be performance and efficiency. Performance will be evaluated by the panel of expert judges and will encompass the techniques that the participants utilize to address the challenges. The metrics include, but are not limited to:
- Effectiveness of proposed SCA
- Repeatability and creativity
- Automation of attacks
- 30% of the score will be the quality of the final deliverables (report, pre-recorded video, and judges presentation or poster). The final deliverables will be graded by the judges panel based on organization, clearness of presentation, and detail of explanations.
Notes: The use of software tools requiring a paid license or a demo license of a non-free tool is not allowed. This years competition focus on side channel attacks on the cyber-physical system. Therefore solutions that involve reverse engineering of the flag, ROP programming or modification of hex files will not be accepted.
You can refer to the deliverables page for more details on the qualification and final phase deliverables, and the Final Phase page for details about how to get started with this year's challenges.
To find more information regarding how to register and participate, click here.