DARPA’s Cyber Grand Challenge is “a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time.” More laconically, it’s Capture The Flag for autonomous computers.
Just like DEF CON Capture The Flag (CTF), Cyber Grand Challenge (CGC) is a contest with two separate events. The CGC Qualifying Event (CQE) was held on June 3, 2015, and the CGC Finals Event (CFE) will be held on August 4, 2016, at DEF CON. Unlike DEF CON CTF, the competitors are Cyber Reasoning Systems (CRSes) that compete autonomously.
CQE had 28 teams participate, finding flaws in more than 99 of the 131 binaries during the twenty-four hour event. In addition to finding flaws, competitors patched binaries to remove vulnerabilities. Patches were graded on time, memory usage, and space efficiency. Competitors only had access to organizer-provided binaries, making this similar to a Jeopardy-style CTF, where competitors only have access to organizer-provided challenges.
Seven teams from CQE will be competing in the CFE in August. The scope and complexity is much bigger. Similar to an attack-defense CTF, organizer-provided binaries are just the beginning. CRSes will be expected to process binaries submitted by other competitors, in a complex “consensus evaluation” process that we’ll detail in another post.
The Cyber Grand Challenge is serious business. Not only does the top team win two million dollars, but every competing team will have pushed the limits of automated binary analysis and patching. In addition, the consensus evaluation format is a massive new development for the CTF community as a whole, and the popularization of CRSes for CTF competition will drastically change how CTF games are played.
Official CGC Links
- Cyber Grand Challenge main page
- CGC File Repository, including Vagrantfile, Debian packages, and more
- CGC Open Source Releases on GitHub
- CGC Program information on the DARPA site
- CGC Qualifying Event Twitter feed
Unofficial CGC Links
- "DARPA's Cyber Grand Challenge" by Mike Walker and Dan Kaufman on 60 Minutes
- "Introducing DARPA's Cyber Grand Challenge" by Mike Walker at ShmooCon 2014
- "How We Fared in the Cyber Grand Challenge" by Trail of Bits
- "Machine vs. Machine: Inside DARPA’s Fully Automated CTF" by Mike Walker and Jordan Wiens at DEF CON 23
- "Angry Hacking: The next gen of binary analysis" by Shoshitaishvili and Wang of Shellphish at DEF CON 23, Black Hat 2015, and 32c3
- "Unleashing the Mayhem CRS" by Tyler Nighswander