Dailydave mailing list archives

Re: DARPA CGC Recap

From: Julio Auto <julio.auto () gmail com>
Date: Tue, 11 Apr 2017 14:36:44 +0000

Thought I would add that Phrack has published a really nice paper by
Shellphish (one of the teams in the finals, finished 3rd place) on CGC and
their CRS (Cyber Reasoning System):
http://phrack.org/papers/cyber_grand_shellphish.html

That's the best technical write up, to my knowledge, of the inner workings
of a top-notch CRS.

    Julio Auto

On Tue, Apr 11, 2017 at 9:25 AM Chris Eagle <cse.lists () gmail com> wrote:

I don't speak for DARPA.

FWIW, various CGC final event data is available here:

http://repo.cybergrandchallenge.com/cfe/

In particular, the score_data.json files contained in the round specific
tar files in cfe-submissions.tgz allow you to see which teams fielded
successful PoVs in each round.

Video of the dev team's CGC related Shmoocon panel is here:
http://bit.ly/2p1LGcb

Some summary stats:

There were 82 challenge sets fielded during CFE.
Vulnerabilities were proven in 20 of them.
Unintended vulnerabilities were found in at least 5 of those 20.
The majority of flaws found were stack overflows.
In my opinion, there was only one legitimate, successful heap corruption
PoV. Keep in mind that all of the challenges used custom heap
implementations that the competitors had not seen before the final event.

A browsable archive of CGC data will be available soon.

Many papers are in various stages of publication by competitor teams and
DARPA's CGC team. These should shed a lot of light on what took place
during the final event.

Regards,

Chris

On 4/3/2017 9:56 PM, Dan Guido wrote:

Hey DailyDave,

I wanted to share a keynote I delivered recently on the Cyber Grand
Challenge and the broader advancements made in the field of automated
bug finding as of late. Dave was asking on Twitter if anyone had
released a detailed teardown of the CGC final event and I think my
presentation is the closest thing to it. It's pretty light, and might
be fun to watch on your way to Infiltrate.

https://blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/

Of course, DARPA has not released the raw data from the final event
yet so it's impossible to produce the analysis that I know Dave is
looking for. Maybe soon?

Have fun at Infiltrate everyone. I'll see you there!

-Dan

Our original conversation on Twitter:
https://twitter.com/dguido/status/841705081988870145
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

DARPA CGC Recap Dan Guido (Apr 09)
- Re: DARPA CGC Recap David Manouchehri (Apr 11)
- Re: DARPA CGC Recap Chris Eagle (Apr 11)
  - Re: DARPA CGC Recap Julio Auto (Apr 18)
  - Re: DARPA CGC Recap Ryan Stortz (Apr 18)
    - Re: DARPA CGC Recap Chris Eagle (Apr 18)
    - Re: DARPA CGC Recap Dave Aitel (Apr 20)
    - Re: DARPA CGC Recap David Manouchehri (Apr 21)
    - Re: DARPA CGC Recap Chris Eagle (Apr 21)
    - Re: DARPA CGC Recap David Manouchehri (Apr 24)
    - Message not available
    - Message not available
    - Re: DARPA CGC Recap Tyler Nighswander (May 02)