

MITRE eCTF 2026 — NeuSense (Team NEU-1)
MITRE's embedded Capture the Flag (eCTF) is an annual national hardware security competition where teams design and implement a Hardware Security Module (HSM) from scratch, then attack each other's implementations. For eCTF 2026, I led Northeastern's NEU-1 team — NeuSense — building a bare-metal HSM on the TI MSPM0L2228 microcontroller (ARM Cortex-M0+), written entirely in C with no operating system. The system had to enforce cryptographic security guarantees, hierarchical access control, PIN rate limiting, and tamper resistance under adversarial review from competing teams.
The design challenge required implementing production-quality cryptographic primitives using the chip's hardware accelerator under strict code-size and memory constraints, building a custom flash-based secure filesystem, and designing a session-based key management protocol that resisted replay, spoofing, PIN brute-force, and privilege escalation. All of this ran on a microcontroller with 32KB of SRAM and 256KB of flash — no malloc, no libc luxury functions, no OS scheduler.
Technologies & Tools
- - C (bare-metal, ARM Cortex-M0+)
- - TI MSPM0L2228 — AESADV hardware peripheral
- - DMA-driven AES-CBC-256 encryption
- - HMAC-SHA256 authentication
- - HKDF (ROOT_SEED → DEVICE_SEED → ENC_SEED / SESSION_SEED)
- - GCC ARM toolchain
- - OpenOCD / JTAG debugging
- - LaTeX (Technical Design Document)

Year
2026
Competition
MITRE eCTF 2026
Team
NEU-1 (NeuSense)
Role
Team Lead
Technical Implementation
Cryptographic stack — hardware-accelerated: AES-CBC-256 is driven through the TI MSPM0L2228's AESADV hardware peripheral via DMA, offloading the crypto computation from the CPU and achieving throughput the software implementation could not. HMAC-SHA256 handles message authentication. Constant-time comparisons are used for all MAC verification to prevent timing side-channel leakage.
HKDF key hierarchy: The system implements a three-tier key derivation chain: ROOT_SEED → DEVICE_SEED → ENC_SEED / SESSION_SEED. Per-session keys are derived from DEVICE_SEED via HKDF, scoped to a session ID and nonce. A captured session token is useless outside its session: the key is ephemeral, nonce-bound, and zeroed on teardown via secure_bzero.
PIN rate limiting: PIN-based authentication enforces an exponential backoff with a hard lockout threshold. Failed attempts are logged to non-volatile flash before the response is sent, ensuring the counter persists through power loss. A brute-force attack against the PIN space is computationally infeasible under the lockout schedule.
Fail-closed permission model: The message dispatch layer defaults to deny. Every incoming command requires an explicit, positively-asserted permission grant for the authenticated session's tier. Missing, malformed, or unauthenticated requests are rejected without processing — there is no fallback to a permissive default.
Secure flash filesystem: Custom flash storage layer with HMAC integrity tags on each write. Flash writes are atomic; a partial write is detected and rejected on next boot. Read and write access are gated through the permission system — lower tiers cannot read secrets belonging to higher tiers.
secure_bzero & anti-optimization: All key material, session secrets, and intermediate cryptographic state are zeroed after use via secure_bzero — implemented with a volatile pointer cast and a memory barrier to prevent the compiler from eliminating the writes as dead stores.
Document audit: Audited the team's LaTeX Technical Design Document against the codebase line by line. Identified and resolved multiple discrepancies between the specified cryptographic protocol and the actual implementation — including an incorrect IV handling claim and a mislabeled key derivation step in the HKDF chain.

Threat Model
Adversarial attack teams
Target
Physical + logical HSM
Security Challenges & Decisions
The most difficult constraint was achieving cryptographic correctness under code-size pressure while correctly leveraging the AESADV peripheral. DMA-driven crypto requires careful buffer alignment, correct peripheral initialization order, and proper DMA channel teardown — a missed step silently produces wrong ciphertext with no error flag. Getting this right required working directly from the TI reference manual and validating against known-answer test vectors.
Nonce management required both entropy and monotonicity. The MSPM0L2228 has a hardware RNG, but monotonic nonces also need to survive power loss without flash wear-leveling overhead. We combined the TRNG output with a flash-backed counter increment — write-before-respond to ensure the counter is durable before any nonce-using operation completes.
The compiler warning audit was non-trivial. Several translation units generated implicit function declaration warnings and integer conversion warnings that, in a bare-metal context, silently produce incorrect behavior — particularly sign extension in pointer arithmetic. All warnings were resolved to zero before final submission.
