Awesome CTF Challenge Design
A curated list of resources about security CTF and Wargame challenge design.
Table of content
- General
- Approaches & Specific Designs
- Engineering
- Game/Puzzle Design
- Learning, Curiosity & Gamification
- Running Events
- Weird Machines & Esolangs
- Escape Rooms & Puzzle Hunts
- Mario Maker Troll Levels
- Finding Challenge Ideas
General
- The Many Maxims of Maximally Effective CTFs - Some important maxims to live out when making a CTF.
- What makes a programming exercise good? (Blog post) - Blog post from Julia Evans.
- CTF Design Guidelines - Design guidelines for CTF authors and organizers
Approaches & Specific Designs
- Hit ’em Where it Hurts (PDF) - A paper presenting the design of a novel kind of live security competition centered on the concept of Cyber Situational Awareness.
- A Serious Game for Eliciting Social Engineering Security Requirements (PDF) - A card game which all employees of a company can play to understand threats and document security requirements.
- Collection Deck (Website) - A training game designed by the CIA to teach employees about various collection capabilities.
- A “Divergent”-themed CTF and Urban Race for Introducing Security and Cryptography (PDF) - A set of CTF exercises and a physical activity based on an urban race, both of which are tied into a fictional story that students act out.
- Teaching Network Security Through Live Exercises (PDF) - This paper describes a series of live exercises that have been used in a graduate-level Computer Science course on network security.
- ARE CTF CREATORS EVIL?! - A Conversation around realworld CTF's with Adam Langley (Video) - Conversartion session between STĂ–K and Adam Langley
- OOO DEF CON CTF finals infrastructure code - All the game components necessary to run an Attack-Defense CTF that OOO used from 2018-2021
Engineering
- AutoCTF - Creating Diverse Pwnables via Automated Bug Injection (PDF) - Making CTFs cheap and reusable by extending a bug injection system to add exploitable vulnerabilities, enabling rapid generation of new CTF challenges.
- Security Scenario Generator (SecGen) (PDF) - A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events
- Hackerbot (PDF) - Attacker Chatbots for Randomised and Interactive Security Labs, Using SecGen and oVirt
Game/Puzzle Design
- The Secrets of Puzzle Design (Video) - How Game Designers Explore Ideas and Themes with Puzzles and Problems.
- The Puzzle Instinct (Book)
- Designing the Puzzle (PDF) - Bob Bates's short paper on puzzle taxonomy and how to distinguish a good from a bad puzzle.
- How to make a good puzzle (Article) - An explorable explanation on how to make a puzzle that's fun, and satisfying to solve.
- Empuzzlement (Video) - Puzzle game designers talking about puzzles. Featuring: Jonathan Blow, Marc ten Bosch, and Droqen.
- Design to Reveal the Nature of the Universe (Video) - A talk from Jonathan Blow & Marc Ten Boch at IndieCade 2011.
- Open-Ended Puzzle Design at Zachtronics (Video) - Interview with Zach Barth on his studio's puzzle design process, from the initial foundation to the basic mechanics, to the way story is integrated. See also Zach-like (PDF) which is a book of behind-the-scenes design documents from Zachtronics.
- Practical Creativity (Video) - Raph Koster explains what science tells us about creativity, and offers practical straightforward steps that any game designer or developer can make use of in order to get more creative.
Learning, Curiosity & Gamification
- Modeling and Designing for Key Elements of Curiosity: Risking Failure, Valuing Questions (PDF) - This paper presents a design model of curiosity that articulates the relationship between uncertainty and curiosity and defines the role of failure and question-asking within that relationship.
- A New Theoretical Framework for Curiosity for Learning in Social Contexts (PDF) - This framework is a step towards designing learning technologies that can recognize and evoke curiosity during learning in social contexts.
- Curious Minds Wonder Alike (PDF) - A paper that identifies fine-grained social scaffolding of curiosity in child-child interaction, and proposes how they can be used to elicit and maintain curiosity in technology-enhanced learning environments.
- Gamification for teaching and learning computer security in higher education (PDF) - A paper that presents the design and evaluation of a gamified computer security module, with a unique approach to assessed learning activities.
Running Events
- Learning Obstacles in the Capture The Flag Model (PDF) - Insights and lessons learned from organizing CSAW CTF
- Organizing Large Scale Hacking Competitions (PDF) - Two new competition designs, the challenges overcome, and the lessons learned, with the goal of providing useful guidelines to other educators who want to pursue the organization of similar events
- Ten Years of iCTF - The Good, The Bad, and The Ugly (Video) - There is also a paper about this.
- Suggestions for running a CTF - Describes some of the design decisions and technical details involved in running a CTF competition.
Weird Machines & Esolangs
- What are Weird Machines? (Website) - A TLDR about the concept of Weird Machines.
- Abadidea's Index of Weird Machines in Video Games (Gist) - List of intentional gameplay features which may be used as weird machines, and exploit-based machines which can be triggered by ordinary player input.
- What Hacker Research Taught Me (Video) - Sergey Bratus' keynote at the TROOPERS 2010 conference. You can find the slides here.
- The Science of Insecurity (Video) - Meredith L. Patterson's talk at 28c3. Draws a direct connection between ubiquitous insecurity and computer science concepts of Turing completeness and theory of languages
- Computer Architecture: A Minimalist Perspective (Book) - Examines computer architecture, computability theory, and the history of computers from the perspective of one instruction set computing.
- Esoteric.Codes (Website) - Languages, platforms, and systems that break from the norms of computing
Escape Rooms & Puzzle Hunts
- A Model to Design Learning Escape Games: SEGAM (PDF) - A methodology for designing "Serious Escape Games" for learning.
- The joyful, perplexing world of puzzle hunts - A TED talk by Alex Rosenthal about constructing puzzles and the MIT Mystery Hunt.
- The art of creating an escape room - Thijs Bosschert's talk at SHA2017 on how to create the best experience for the players, pitfalls and how to design puzzles and puzzle flows.
Mario Maker Troll Levels
- Trolling for Dummies - A perpetual work in progress and that will continue to be updated as the community learns more about making good troll levels, and as new techniques are discovered.
- Mario Maker 2 Multiplayer Troll Design - How to design a multiplayer troll that works and thrills the players and audiences.
- Multiplayer Contraptions in Super Mario Maker 2 - This guide is about various contraptions related to the multiplayer modes. Some of them are to separate the mode. And others to determine the amount of players.
- MulTROLLplayer Research Hub Tech Sheet - A compilation of multiplayer tech, from totally obvious to glitchy jank.
Finding Challenge Ideas
- Search RFCs by "best current practice" - IETF RFCs have a status called "Best Current Practice". This page lets you filter them using that status.
- CISA's catalog of "bad practice" - A catalog of bad practices that are exceptionally risky, especially in organizations supporting critical infrastructure or NCFs
See Also
Other Awesome Lists: