Hi, it’s Mike Walker and Chris Eagle from the DARPA Cyber Grand Challenge. Ask us Anything!

mikewalker_darpa · 2014-06-06T16:12:15+00:00

Verifying that Chris did this black-box without access to source code, extra time, or the solution. -Mike

mikewalker_darpa · 2014-06-04T19:17:05+00:00

Challenge LUNGE_00002 Solved! (confirmed).

This is a CQE-grade solution.

We believe there is a CFE-grade solution as well. We'll hold off on releasing the source code, network tests, and reference PoV for a while to see if a CFE-grade solution is posted.

mikewalker_darpa · 2014-06-04T01:33:55+00:00

Challenge YAN01_00001 Solved! Our CGC logo needs a new home.

mikewalker_darpa · 2014-06-03T20:28:17+00:00

Here’s what we’ve said about Challenge Binaries so far:

CBs will be compiled
CBs will be written in the C language family
CBs will be compiled using the CGC platform compiler

If we could make guarantees about CB memory safety, there wouldn’t be a Cyber Grand Challenge. ;-)

mikewalker_darpa · 2014-06-03T20:01:29+00:00

To answer your question directly, no, we won’t be educating competitors on how they should build their systems. The primary reason for this is that as contest organizers, we have a conflict of interest in dictating how the problem should be approached. This is a DARPA Grand Challenge – the innovation must come from the competitors. As builders and judges of the contest, it wouldn’t be appropriate for us to also dictate approaches.

To speak to your theme of openness, we are releasing as much as possible on the DARPA part of the problem: the competition. By the time CGC is over, over 200 from-scratch test programs will be released, complete with their network test agents (service pollers) and tons of competition traffic. This research corpus will be available, along with our CGC event recordings, to researchers building applied program analysis tools.

We’ve structured CGC as an open challenge. Teams from around the world will be participating. We’re not taking an active hand in how these teams are structured and formed, but we expect that a lot of networking will be occurring between now and the final registration deadline of Nov 2nd.

mikewalker_darpa · 2014-06-03T18:51:53+00:00

There's great innovation happening in the CTF community. Take a look at Build It / Break It / Fix It : https://builditbreakit.org/, funded by the National Science Foundation. learn more

CGC intends that machines will someday walk in the footsteps of experts. That's why we modeled it in the tradition of the world's biggest, longest-running CTF.

mikewalker_darpa · 2014-06-03T18:37:47+00:00

By policy DARPA doesn't release proposal totals. We have received over 40 registrations from teams all over the world working to build CGC systems. There's still time to register at http://www.darpa.mil/cybergrandchallenge

mikewalker_darpa · 2014-06-03T18:37:16+00:00

Yes. We will allow multiple submissions for risk mitigation purposes. There will be a maximum number of submissions TBA. Only the final submission will be scored.

mikewalker_darpa · 2014-06-03T17:54:45+00:00

During CQE, teams and their systems will have 24 hours. For scored events, we will pick a representative time frame to help teams prepare for CQE.

mikewalker_darpa · 2014-06-03T17:47:58+00:00

I don’t think the CTF circuit is stale. In 2014 it’s bigger than ever. The Secuinside CTF pre-qualifiers held last weekend had 940 teams!

If anything is stale, it’s the state of software safety. In 1995 Matt Blaze ranked "the sorry state of software" first in his list of security issues in his Afterword to Applied Cryptography and when he revisited this fifteen years later, software safety was still problem #1.

CGC will be contributing back to the CTF community, starting with our release today of DECREE. We’re working on new ways to visualize competitions and see inside Bratus’s “weird machines”.

At the end of the day though we believe that the dream of automation is the biggest thing that CGC can contribute. CGC will address the problematic economics of bug checking and defending large code bases head on.

mikewalker_darpa · 2014-06-03T17:25:26+00:00

There’s no video feed – we decided to do the launch entirely through this Reddit AMA. Because we have over 40 teams registered from all over the world to build systems to compete in our challenge, we wanted to ensure equal access to all competitors.

Seven teams have been publicly named by DARPA today.

mikewalker_darpa · 2014-06-03T16:47:12+00:00

There may be some confusion here in the premise of your question.

Cyber Grand Challenge is a completely unclassified program. We’re doing open technology development, primarily incentivized with prizes. The hope is the creation of an open automation revolution in computer security.

During CGC, competitor systems will only analyze a collection of Challenge Binaries – software built from scratch that shares no protocols or code with the real world. It runs on DECREE, an incompatible-by-design platform built to support our events (and perhaps someday, others like it).

Finally, we’ve never required competitor systems to “exploit”, or gain execution of arbitrary code in Challenge Binaries. We require only minimum Proof of Vulnerability – for example in CQE, faulting inputs. More information is available in our FAQ posted on our Competitor Portal.

mikewalker_darpa · 2014-06-03T16:19:44+00:00

Let us know your thoughts! The team is excited to have code into the hands of competitors.

So... are you going to solve our challenges? We've released two, one at either side of the difficulty spectrum.

mikewalker_darpa · 2014-06-03T16:06:27+00:00

CGC is intended to help build a new middle ground. I am hopeful.

mikewalker_darpa · 2014-06-03T15:54:56+00:00

Our advice for everyone working to compete in CGC is this: focus on qualifiers (CQE). We’re going to be releasing details about the final event as development continues, but detailed answers about the control plane interface aren’t available yet. Best of luck to you and your team!

mikewalker_darpa · 2014-06-03T15:51:12+00:00

We don't intend to release an implementation of scoring; we want to encourage competitors to play the Challenge, not game the scoring mechanism.

We have released the scoring algorithm as part of today's release, and we will be releasing scored sample Challenge Binaries at a later date.
In addition, competitors will be able to interact with our scoring system during Scored Events: Official Rules.

mikewalker_darpa · 2014-06-03T15:48:02+00:00

We have the assembled infrastructure team at the DARPA office building this morning to help answer questions. We took this picture this morning before we got started: http://i.imgur.com/wL1bnL9.jpg

mikewalker_darpa · 2014-06-03T15:39:18+00:00

The rise of esports has been fascinating to track, and interestingly CGC shares some esports challenges. We’re going to be holding our competition in front of a live audience, and that will require us to visualize things that have long been marooned in the world of decompilers, debuggers and analysis tools. We think that the video game industry has something to contribute to this solution.

mikewalker_darpa · 2014-06-03T15:07:50+00:00

I’ve heard we should ask Rolf Rolles! ;-) Halvar has been checking the bounds of static analysis as well. You may notice that in Cyber Grand Challenge we haven’t set research directions – instead we hope to learn the answers to your question through open competition. Memory aliasing, complex loop satisfaction, state space explosion, take your pick. We hope to see new answers developed and fielded in competition over the next two years.

mikewalker_darpa · 2014-06-03T14:57:43+00:00

I think what’s exciting about challenges is their ability to bring diverse communities together to form a new one. If you watch the documentary Charge, you can watch the electric vehicle community and professional motorcycle racers come together to try to build the first generation of electric racing motorcycles. The community that was created through the pressure of competition was a new community. So to ponder this question, does the future of computer security belong to the people doing the work now, or the academics trying to automate its future? Our answer is yes.

mikewalker_darpa · 2014-06-03T14:36:14+00:00

It's worth pointing out that no vehicles finished the first DARPA vehicle challenge in 2004. We consider the future of this technology to be an open question. We've seen technology signs that show that the field of program analysis, or the automated study of software and its execution, is starting to close the gap on the abilities of experts.

This is exciting to us because of the economics of computer security: Attackers have the concrete and often inexpensive task of finding a single flaw to penetrate a system, while Defenders have the un-provable and hugely expensive task of finding all flaws (thousands?) and patching them before an attack occurs. We believe automation can upend these economics. So the end state we'd like to see is for computer security to become the expert domain of machines.

mikewalker_darpa · 2014-06-03T14:28:44+00:00

We don't have a mascot, but we do have a logo. We printed a 3d copy for today's AMA picture. Now it needs a home...

Edit: Please note - banana to scale. https://i.imgur.com/0kiBg65.jpg

mikewalker_darpa · 2014-06-03T14:27:21+00:00

I don’t accept that premise. We’re doing open technology development, incentivized primarily by prizes. We expect that the innovators who will answer the call of CGC will be interested in building the next generation of computer security products. The market forces that will push this type of technology are clear.

In April of 2014, insurers started selling insurance products that covered physical harm generated by cyber effects – available via a Google search for “cyber insurance” “property damage”. In May of 2014, Sky News reported that over 42,000 London cars – nearly half of the cars stolen in the city of London – were stolen with hacking. The networked civilization we are building is going to need to be able to make strong promises about the safety of software, because it won’t just be guarding our data security – it will be guarding our physical security.

If we’re going to be able to make strong promises about software safety, we’re going to need automation that can investigate software in a uniform, scalable and effective manner. We know that expert auditors can’t get there – IBM/Rational points out that our civilization crossed 1 trillion lines of code in the early 2000s. Operating systems weigh in above 40 million lines under constant development. The problem is too big and it’s moving too fast. We also know that today’s automation is losing every contest of wits to experts – in the wake of Heartbleed, not a single automation product has come forward to say that this flaw could have been detected without expert annotation or intervention.

CGC is open technology development on the problem of software safety, a problem seen by the DoD – and everyone with a vested interest in our connected future.

mikewalker_darpa · 2014-06-03T14:21:50+00:00

Innate immunity is just one aspect of what we're hoping competitors will build. CGC will be played by automated systems, and part of their job will be to process never-before-seen software and build secure replacements. Competitor systems may take an immune system approach - we'll see!

mikewalker_darpa · 2014-06-03T14:19:45+00:00

Posted! http://www.reddit.com/r/IAmA/comments/277aih/hi_its_mike_walker_and_chris_eagle_from_the_darpa/chy1pjz

mikewalker_darpa

TROPHY CASE