DARPA's $4M Cyber-Threat Clash Down To Seven Challengers 23
coondoggie writes: When it began a year ago, there were 104 teams competing for $4 million in prize money in the Defense Advanced Research Projects Agency (DARPA)'s ambitious tournament — known as the Cyber Grand Challenge (CGC) — to see who can build the best fully automatic network defense system. This week DARPA said that after a couple dry runs and a significant qualifying event the field of CGC teams is down to seven who will now compete in the final battle slated to take place at DEFCON in Las Vegas in August 2016.
Shellphish here! (Score:4, Interesting)
Hello! I'm the "team leader" of team Shellphish, one of the seven finalists. Super cool to see a story about us! If people have questions, I'd love to answer them if I can :-)
Re: (Score:2)
As another commenter mentioned, the CGC looks at compiled binaries, regardless of language. In practice, most (all?) of the challenges were written in C. While, in principle, the choice of language shouldn't matter overly much, some languages make heavy use of constructs which seriously complicate analysis. For example, C++ vtables (https://en.wikipedia.org/wiki/Virtual_method_table) or Objective C's dynamic method lookup (http://stackoverflow.com/questions/14219840/how-does-objective-c-handle-method-resolu
Re: (Score:2)
Also let us know how an automated security product is supposed to work.
One of the fundamental tenets of 'security' is that it's a ongoing process, not a finished product:
https://www.schneier.com/essay... [schneier.com]
Re: (Score:2)
Security is definitely a constantly evolving arms race, and it's exactly that cat-and-mouse game that makes it fascinating. A key thing to keep in mind is that this contest isn't necessarily about creating an AI that evolves to respond to emerging attacks or new techniques. In fact, the scope of the Cyber Grand Challenge is quite well defined to identifying, exploiting, and patching memory corruption vulnerabilities.
The goal of the CGC, as we understand it, is to create a system that, given this human-speci
Re: (Score:2)
The contest works as follows:
- every team creates a "Cyber Reasoning System", which is software that takes a vulnerable application binary as input and outputs an exploit and a patched version of the binary
- when the contest starts, DARPA releases a crap-ton of applications (for the qualifying event, there were 131, some of which complex applications that comprised multiple binaries).
- each team's CRS analyzes these binaries (without human intervention), and submits the resulting exploits and patches to DAR
Re: (Score:2)
Re: (Score:2)
Haha, that sounds like a badass idea! Does battlebot have any rules in place for "electronic warfare" like that?
Is that what you want? (Score:2)
because that's how you get Skynet.
Re: (Score:2)
first you get a whole lot of very confused sysadmins during an outage ;-)
Re: (Score:2)
Re: (Score:2)
When did you finally crack that deep cover genius? Now Defence Contracting will have to change the name 'cause you've spoiled it all. You brave whistle-blower you.
Re: (Score:2)
...that air gaps the network with a laser to the ethernet cable, and attempts to kill anyone who approaches the network with a USB stick, but simply falls down the stairs instead, twitching.
You wasted your money investing in that venture.
It must hurt to lose a lucrative defence contract to a can of floor wax and a $2 sign that says "Do not run".
Cool! (Score:4, Informative)
I remember back in the late '90s (when I was playing junior football with Moses) when the knee-jerk industry reaction to malware was to stop funding any sort of "active" defence systems development. True the old ping of death doesn't work anymore (it was a fun anti-cracker defence until the ISP put an end to it - a bit like burglars suing when they slip on your shiny floor and hurt themselves). I can think of a few interesting alternatives though, but I might just stick with the standard re-direct to an interesting picture for the time being given our silly "cyber-crime" laws.