[Dailydave] DARPA Cyber Grand Challenge!

dave aitel dave at immunityinc.com
Fri Aug 5 10:22:47 EDT 2016 

Summary: Fifteen years from now we'll be able to secure the 80s! :)

If you haven't read this giant post on the subject, then you should:
http://cybersecpolitics.blogspot.com/2016/05/the-common-thread-fuzzing-bug-triage.html?m=1

The Cyber Grand Challenge was last night and they LIVE Streamed it to
the world over YouTube <https://www.youtube.com/watch?v=xek4OcScCh4>,
which was GREAT. The whole thing went fairly flawlessly, which was
impressive, and the work done on the visualizations and game design and
test programs and really every part of it is immense. Not to mention the
contestant teams themselves. I'm going to start with one major complaint
and then the top hits. But if you watched it, hopefully you were
watching it for strategic reasons: you want to know about the technology
curve; you want to know how it's going to effect nation-state cyber war;
you want to know if the field of application security is about to change
in a significant way. DARPA is an org filled with boundless optimism as
their cultural model. Hackers, however, are not. If this technology was
a breakthrough then only the countries who could afford real super
computers (basically only the US) would be able to complete in the cyber
domain - it would perhaps be a "stealth technology" level event. On to
the analysis:

First of all: WTF were they thinking having a random astrophysicist be
the MC of the event? You already have Visi, and what you really need is
SOMEONE ELSE WHO KNOWS WHAT THEY ARE TALKING ABOUT. I'm not sure who
made that decision, but it was not a good one. There were ten people in
the audience who would have made better co-announcers. It was painful to
watch.

The results were surprising if you haven't read that post I link at the
top there:

 1. All the teams were within a hair width of each others' scores. We
    can predict that by saying that yes, all the teams basically have
    the same strategy and technology. There are no breakthroughs here,
    despite an impressive amount of automation.
 2. Fuzzing is by far the dominant strategy. Only two teams (Mayhem and
    Shellfish) were able to solve some of the intermediate level
    challenges (a watered down CrackAddr and the Morris Worm emulation),
    which they would have done with some pretty impressive static
    analysis. My personal opinion is that this probably represents an
    asymptotic ceiling on the level of complexity these techniques will
    be able to handle, not a rung in a technology ladder going ever
    skyward. Great results nonetheless.
 3. 90% of the technology from this challenge is available in open
    source format from international sources, for those people who
    mistakenly still think Export Control has a role in our world. :)

-dave


Scoreboard: Note how close all the scores are. I want a revised
scoreboard normalized for just the people able to find the exploits.
Hopefully DARPA will release that information without me having to
pester them by phone. :)

Morris Worm Sample Bug from Shellfish: NOTE TO VISI: Please do another
video where you go over these solutions in detail using all those
amazing visualizations and program traces.

Crackaddr simulation from Shellfish


 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160805/9f744a86/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: darpa3.jpg
Type: image/jpeg
Size: 49001 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160805/9f744a86/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shellfish2.jpg
Type: image/jpeg
Size: 230138 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160805/9f744a86/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shellfish1.jpg
Type: image/jpeg
Size: 166414 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160805/9f744a86/attachment-0005.jpg>

More information about the Dailydave mailing list