/play-sdk

SDK for SecDim Play Levels

Primary LanguageMakefileOtherNOASSERTION

SecDim Play Level Builder

It is very easy to make game levels for SecDim Play. A level is a program with tests suites and runs in a container.

Step 1: Pre-requisites

Fork and clone this repository.

Install docker and make and development environment for the language that you are going to build a level.

Step 2: Initialise

Run ./build.sh > init > Choose a language

To get SDK for the language you are building a level. Currently supported languages are:

python, go, typescript, javascript, C# (csharp), java, solidity

Step 3: Create a private repository

Create a private repository on github and clone it.

cd ../
git clone github.com/my-user/my-private-repo

From SDK copy the level directory and build.sh to your private repository.

cp -r ../sdk/level .
cp ../sdk/build.sh .
cd level/

Step 4: Add a security bug

Each level contains the vulnerable app and two sets of tests: usability and security.

Usability tests are always given to the player, while security tests, depending on the level difficulty, may not be given. The player will run make test to run usability test suite, make securitytest to run security test suite.

You can find a sample vulnerable app and tests suits in level directory.

Start by building the vulnerable app, complete usability test suites and lastly security tests suites.

  1. Review the program code in level/src/ directory.

  2. Introduce a security bug:

    1. You can add a new functionality or modify existing functionalities.

    2. Add a usability test for new or modified functionalities.

    3. Remember your bug must be a security vulnerability.

Tip
 Looking for an idea? CWE Top 25 or SemGrep Registry have sample codes with security bugs.

Step 5: Add security test(s)

  1. Add security test(s) to test for the security bug

  2. make build && make securitytest to run security tests. They should fail.

Depending on the level complexity, security tests will be treated differently:

  • Trivial: security tests are given to the player.

  • Easy: security tests are not given but security test title should be clear as what is being expected.

  • Medium: security test title should give some clue.

  • Hard: No test output will be shown to the player.

Step 6: Create a patch

  1. git checkout -b patch to create a patch branch

  2. Patch the program

  3. make build && make test && make securitytests to run all tests. They should pass.

This patched branch will NOT be provided to the players and it is only used to verify if level is solvable.

Step 7: Verify

  • ./build.sh > verify: to verify if everything is okay

  • ❏ Update level/Readme.adoc (NOT this file!) with a level story/incident, level and any pre-requisites.

  • ❏ Remove unnecessary files and directories

Step 8: Push

git push both master and patch branches.

git push
git push -u origin patch

Add secdim as one of the contributers to your private repository. A friendly SecDim team member will review your level and will be in touch for the next step.

Done!

Important notes

  1. Remember to push both master and patch branches.

  2. Usability tests must always pass.

  3. Security tests must pass in patch branch and fail in master branch.

Troubleshooting

Ask your question on SecDim Discuss