<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Summary: Fifteen years from now we'll be able to secure the 80s!
:)</p>
<p>If you haven't read this giant post on the subject, then you
should:
<a class="moz-txt-link-freetext" href="http://cybersecpolitics.blogspot.com/2016/05/the-common-thread-fuzzing-bug-triage.html?m=1">http://cybersecpolitics.blogspot.com/2016/05/the-common-thread-fuzzing-bug-triage.html?m=1</a></p>
<p>The Cyber Grand Challenge was last night and they LIVE Streamed
it to the world over <a
href="https://www.youtube.com/watch?v=xek4OcScCh4">YouTube</a>,
which was GREAT. The whole thing went fairly flawlessly, which was
impressive, and the work done on the visualizations and game
design and test programs and really every part of it is immense.
Not to mention the contestant teams themselves. I'm going to start
with one major complaint and then the top hits. But if you watched
it, hopefully you were watching it for strategic reasons: you want
to know about the technology curve; you want to know how it's
going to effect nation-state cyber war; you want to know if the
field of application security is about to change in a significant
way. DARPA is an org filled with boundless optimism as their
cultural model. Hackers, however, are not. If this technology was
a breakthrough then only the countries who could afford real super
computers (basically only the US) would be able to complete in the
cyber domain - it would perhaps be a "stealth technology" level
event. On to the analysis: <br>
</p>
<p>First of all: WTF were they thinking having a random
astrophysicist be the MC of the event? You already have Visi, and
what you really need is SOMEONE ELSE WHO KNOWS WHAT THEY ARE
TALKING ABOUT. I'm not sure who made that decision, but it was not
a good one. There were ten people in the audience who would have
made better co-announcers. It was painful to watch.</p>
<p>The results were surprising if you haven't read that post I link
at the top there: <br>
</p>
<ol>
<li>All the teams were within a hair width of each others' scores.
We can predict that by saying that yes, all the teams basically
have the same strategy and technology. There are no
breakthroughs here, despite an impressive amount of automation.
<br>
</li>
<li>Fuzzing is by far the dominant strategy. Only two teams
(Mayhem and Shellfish) were able to solve some of the
intermediate level challenges (a watered down CrackAddr and the
Morris Worm emulation), which they would have done with some
pretty impressive static analysis. My personal opinion is that
this probably represents an asymptotic ceiling on the level of
complexity these techniques will be able to handle, not a rung
in a technology ladder going ever skyward. Great results
nonetheless.</li>
<li>90% of the technology from this challenge is available in open
source format from international sources, for those people who
mistakenly still think Export Control has a role in our world.
:)<br>
</li>
</ol>
<p>-dave</p>
<p><br>
</p>
<p>Scoreboard: Note how close all the scores are. I want a revised
scoreboard normalized for just the people able to find the
exploits. Hopefully DARPA will release that information without me
having to pester them by phone. :)<br>
</p>
<p><img alt="" src="cid:part2.009241D4.ECC672CB@immunityinc.com"
height="185" width="336"></p>
<p>Morris Worm Sample Bug from Shellfish: NOTE TO VISI: Please do
another video where you go over these solutions in detail using
all those amazing visualizations and program traces.<br>
</p>
<p><img alt="" src="cid:part3.591E2521.8A3CF1E7@immunityinc.com"
height="292" width="537"></p>
<p>Crackaddr simulation from Shellfish<br>
</p>
<img alt="" src="cid:part4.18211D81.899CC736@immunityinc.com"
height="305" width="448">
<p><br>
</p>
<p> <br>
</p>
<p><br>
</p>
<p><br>
</p>
</body>
</html>