[Dailydave] DARPA CGC Recap

Julio Auto julio.auto at gmail.com
Tue Apr 11 10:36:44 EDT 2017 

Thought I would add that Phrack has published a really nice paper by
Shellphish (one of the teams in the finals, finished 3rd place) on CGC and
their CRS (Cyber Reasoning System):
http://phrack.org/papers/cyber_grand_shellphish.html

That's the best technical write up, to my knowledge, of the inner workings
of a top-notch CRS.

    Julio Auto

On Tue, Apr 11, 2017 at 9:25 AM Chris Eagle <cse.lists at gmail.com> wrote:

> I don't speak for DARPA.
>
> FWIW, various CGC final event data is available here:
>
> http://repo.cybergrandchallenge.com/cfe/
>
> In particular, the score_data.json files contained in the round specific
> tar files in cfe-submissions.tgz allow you to see which teams fielded
> successful PoVs in each round.
>
> Video of the dev team's CGC related Shmoocon panel is here:
> http://bit.ly/2p1LGcb
>
> Some summary stats:
>
> There were 82 challenge sets fielded during CFE.
> Vulnerabilities were proven in 20 of them.
> Unintended vulnerabilities were found in at least 5 of those 20.
> The majority of flaws found were stack overflows.
> In my opinion, there was only one legitimate, successful heap corruption
> PoV. Keep in mind that all of the challenges used custom heap
> implementations that the competitors had not seen before the final event.
>
> A browsable archive of CGC data will be available soon.
>
> Many papers are in various stages of publication by competitor teams and
> DARPA's CGC team. These should shed a lot of light on what took place
> during the final event.
>
> Regards,
>
> Chris
>
> On 4/3/2017 9:56 PM, Dan Guido wrote:
> > Hey DailyDave,
> >
> > I wanted to share a keynote I delivered recently on the Cyber Grand
> > Challenge and the broader advancements made in the field of automated
> > bug finding as of late. Dave was asking on Twitter if anyone had
> > released a detailed teardown of the CGC final event and I think my
> > presentation is the closest thing to it. It's pretty light, and might
> > be fun to watch on your way to Infiltrate.
> >
> > https://blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/
> >
> > Of course, DARPA has not released the raw data from the final event
> > yet so it's impossible to produce the analysis that I know Dave is
> > looking for. Maybe soon?
> >
> > Have fun at Infiltrate everyone. I'll see you there!
> >
> > -Dan
> >
> > Our original conversation on Twitter:
> > https://twitter.com/dguido/status/841705081988870145
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunityinc.com
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
> >
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170411/ba7bda6b/attachment-0001.html>

More information about the Dailydave mailing list