<div dir="ltr">Thought I would add that Phrack has published a really nice paper by Shellphish (one of the teams in the finals, finished 3rd place) on CGC and their CRS (Cyber Reasoning System): <a href="http://phrack.org/papers/cyber_grand_shellphish.html">http://phrack.org/papers/cyber_grand_shellphish.html</a><div><br></div><div>That's the best technical write up, to my knowledge, of the inner workings of a top-notch CRS.</div><div><br></div><div> Julio Auto</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Apr 11, 2017 at 9:25 AM Chris Eagle <<a href="mailto:cse.lists@gmail.com">cse.lists@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I don't speak for DARPA.<br class="gmail_msg">
<br class="gmail_msg">
FWIW, various CGC final event data is available here:<br class="gmail_msg">
<br class="gmail_msg">
<a href="http://repo.cybergrandchallenge.com/cfe/" rel="noreferrer" class="gmail_msg" target="_blank">http://repo.cybergrandchallenge.com/cfe/</a><br class="gmail_msg">
<br class="gmail_msg">
In particular, the score_data.json files contained in the round specific tar files in cfe-submissions.tgz allow you to see which teams fielded successful PoVs in each round.<br class="gmail_msg">
<br class="gmail_msg">
Video of the dev team's CGC related Shmoocon panel is here: <a href="http://bit.ly/2p1LGcb" rel="noreferrer" class="gmail_msg" target="_blank">http://bit.ly/2p1LGcb</a><br class="gmail_msg">
<br class="gmail_msg">
Some summary stats:<br class="gmail_msg">
<br class="gmail_msg">
There were 82 challenge sets fielded during CFE.<br class="gmail_msg">
Vulnerabilities were proven in 20 of them.<br class="gmail_msg">
Unintended vulnerabilities were found in at least 5 of those 20.<br class="gmail_msg">
The majority of flaws found were stack overflows.<br class="gmail_msg">
In my opinion, there was only one legitimate, successful heap corruption PoV. Keep in mind that all of the challenges used custom heap implementations that the competitors had not seen before the final event.<br class="gmail_msg">
<br class="gmail_msg">
A browsable archive of CGC data will be available soon.<br class="gmail_msg">
<br class="gmail_msg">
Many papers are in various stages of publication by competitor teams and DARPA's CGC team. These should shed a lot of light on what took place during the final event.<br class="gmail_msg">
<br class="gmail_msg">
Regards,<br class="gmail_msg">
<br class="gmail_msg">
Chris<br class="gmail_msg">
<br class="gmail_msg">
On 4/3/2017 9:56 PM, Dan Guido wrote:<br class="gmail_msg">
> Hey DailyDave,<br class="gmail_msg">
><br class="gmail_msg">
> I wanted to share a keynote I delivered recently on the Cyber Grand<br class="gmail_msg">
> Challenge and the broader advancements made in the field of automated<br class="gmail_msg">
> bug finding as of late. Dave was asking on Twitter if anyone had<br class="gmail_msg">
> released a detailed teardown of the CGC final event and I think my<br class="gmail_msg">
> presentation is the closest thing to it. It's pretty light, and might<br class="gmail_msg">
> be fun to watch on your way to Infiltrate.<br class="gmail_msg">
><br class="gmail_msg">
> <a href="https://blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/" rel="noreferrer" class="gmail_msg" target="_blank">https://blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/</a><br class="gmail_msg">
><br class="gmail_msg">
> Of course, DARPA has not released the raw data from the final event<br class="gmail_msg">
> yet so it's impossible to produce the analysis that I know Dave is<br class="gmail_msg">
> looking for. Maybe soon?<br class="gmail_msg">
><br class="gmail_msg">
> Have fun at Infiltrate everyone. I'll see you there!<br class="gmail_msg">
><br class="gmail_msg">
> -Dan<br class="gmail_msg">
><br class="gmail_msg">
> Our original conversation on Twitter:<br class="gmail_msg">
> <a href="https://twitter.com/dguido/status/841705081988870145" rel="noreferrer" class="gmail_msg" target="_blank">https://twitter.com/dguido/status/841705081988870145</a><br class="gmail_msg">
> _______________________________________________<br class="gmail_msg">
> Dailydave mailing list<br class="gmail_msg">
> <a href="mailto:Dailydave@lists.immunityinc.com" class="gmail_msg" target="_blank">Dailydave@lists.immunityinc.com</a><br class="gmail_msg">
> <a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br class="gmail_msg">
><br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
Dailydave mailing list<br class="gmail_msg">
<a href="mailto:Dailydave@lists.immunityinc.com" class="gmail_msg" target="_blank">Dailydave@lists.immunityinc.com</a><br class="gmail_msg">
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br class="gmail_msg">
</blockquote></div>