What is the Cyber Grand Challenge?

DARPA’s Cyber Grand Challenge is “a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time.” More laconically, it’s Capture The Flag for autonomous computers.

Just like DEF CON Capture The Flag (CTF), Cyber Grand Challenge (CGC) is a contest with two separate events. The CGC Qualifying Event (CQE) was held on June 3, 2015, and the CGC Finals Event (CFE) will be held on August 4, 2016, at DEF CON. Unlike DEF CON CTF, the competitors are Cyber Reasoning Systems (CRSes) that compete autonomously.

CQE had 28 teams participate, finding flaws in more than 99 of the 131 binaries during the twenty-four hour event. In addition to finding flaws, competitors patched binaries to remove vulnerabilities. Patches were graded on time, memory usage, and space efficiency. Competitors only had access to organizer-provided binaries, making this similar to a Jeopardy-style CTF, where competitors only have access to organizer-provided challenges.

Seven teams from CQE will be competing in the CFE in August. The scope and complexity is much bigger. Similar to an attack-defense CTF, organizer-provided binaries are just the beginning. CRSes will be expected to process binaries submitted by other competitors, in a complex “consensus evaluation” process that we’ll detail in another post.

The Cyber Grand Challenge is serious business. Not only does the top team win two million dollars, but every competing team will have pushed the limits of automated binary analysis and patching. In addition, the consensus evaluation format is a massive new development for the CTF community as a whole, and the popularization of CRSes for CTF competition will drastically change how CTF games are played.

Official CGC Links

Unofficial CGC Links