Student Experience
UCSC team places second in Embedded Capture the Flag cybersecurity competition
The result showcases the campus’s excellence among the cybersecurity community.
Undergraduate students on the UC Santa Cruz team, left to right: Max Newstead, Aashrima Ruwali, Darlene Harsana, and Astra Tsai.
A team of undergraduate engineering students at the University of California, Santa Cruz, placed second among more than 100 teams at a cybersecurity competition called Embedded Capture the Flag (eCTF) put on by the MITRE Corporation. This year’s challenge was regarded by advisors and competitors as the toughest in the competition’s history, and this result recognizes the campus’s excellence among the cybersecurity community.
The competition mirrors a schoolyard game of capture the flag: you enter enemy territory, steal a flag, and return without getting caught. In the cybersecurity version, a player must hack into a system with real defenses and steal sensitive data, without being detected. The competition focuses on embedded systems—computing systems that exist natively within things like cars or medical devices.
A team of six undergraduate engineering students represented UC Santa Cruz in the competition. They completed the challenge while taking a section of the course CMPM 118, Collaborative Research Experience in Engineering, in which small student teams pursue a research project for a quarter.
Computer engineering undergraduate Astra Tsai led the group, contributing most of the points that led to the team’s second-place finish. She’s no stranger to success in cybersecurity—Tsai has also been the fastest solver overall of the National Security Agency’s Codebreaker Challenge for three years in a row. The team also won the Community Contributor award, recognizing Tsai’s efforts going above and beyond to help other participants and improve the open source tools used for the competition. The team included Andrew Chu, Darlene Harsana, Max Newstead, Aashrima Ruwali, and Virinchi Chintala, with Ph.D. student Sergio Valderrama advising the team.
Th eCTF runs for roughly three months, and it is split into two phases. In the first, the design phase, each team is handed a reference system that functions but is deliberately insecure, and has about six weeks to turn it into a hardened, fully working embedded device that satisfies a long list of security requirements. Only teams whose designs pass MITRE’s functional testing are admitted to the second half, the attack phase, where they spend the next six weeks attacking the live systems built by other competing teams.
Two things make eCTF far harder than a typical CTF cybersecurity competition. First, the target is a real microcontroller rather than a remote server, so attacks can include physical and close-proximity attacks—measuring a chip’s power draw to extract its secret keys, injecting electrical faults to skip a security check, or reading data straight off the board—alongside conventional software exploits. Second, there are no pre-made puzzles: the vulnerabilities teams hunt are genuine, unintended flaws in systems their peers engineered, exactly the way real-world security research works. The asymmetry is humbling—a defense that took weeks to design can fall in an afternoon.
“Most capture-the-flag competitions are weekend sprints in which you solve puzzles someone else built for you. The eCTF is the opposite—our students spent three months engineering a secure device and then attacking the real devices other teams built, which is how security actually works in the field,” said Alvaro Cardenas, a professor of computer science and engineering at the Baskin School of Engineering who advised the group. “Because the target is physical hardware, they had to reckon with fault-injection attacks most security competitions never see, like briefly reducing the voltage to the device in order to see if the microcontroller skips an instruction.”
This year’s challenge asked teams to secure the kind of data handled inside a semiconductor foundry, building a system that could store and exchange integrated-circuit design data among parties with different levels of trust without leaking it or letting anyone tamper with it.
The UC Santa Cruz team shared the podium with first-place team Carnegie Mellon University and third-place Indian Institute of Technology Madras, and UCSC’s result is all the more striking for the company it keeps. Carnegie Mellon has now won the eCTF five years running, fielding a large roster of 16 students (14 of them graduate students), three faculty advisors, and backed by industry sponsors and state-of-the-art equipment for hardware hacking. In contrast, the UC Santa Cruz team was composed solely of undergraduate students and a hardware setup of only $50.
“The attack phase often favors teams with specialized gear for hardware attacks—side-channel power analysis tools that let them pull precision fault injection attacks—making the small team’s defensive resilience against that field notable,” Cardenas said.
“A lot of teams came in with specialized equipment, such as the ChipWhisperer Husky, while we were working with an extremely limited setup, so winning new hardware from the competition is valuable,” Tsai said. “But the competition also inspired me to start designing my own voltage glitching system and explore what we can build ourselves.”
The competition also opened up new opportunities for Tsai.
“During the attack phase, our team stayed near the top of the leaderboard for almost two weeks, and that’s when Ben Janis from MITRE reached out to me,” Tsai said. “He encouraged me to apply for a summer internship at MITRE, and after the interviews, I found out I was accepted right before flying out to the award ceremony. It was surreal to go from competing in the eCTF to joining the organization behind it.”
This is the second time a UC Santa Cruz team has placed second in the eCTF competition, after a second-place debut in 2023.