With the coming advent of the Internet of Things, data insecurity is on track to become physical insecurity. The same code that powers today’s networked computers – code that is routinely compromised by attackers – is making its way into our vehicles, our smart homes, our augmented reality, and our connected culture. This future requires fundamentally new thinking about how networked devices will be defended.
Today’s attackers have the upper hand due to the problematic economics of computer security. Attackers have the concrete and inexpensive task of finding a single flaw to break a system. Defenders on the other hand are required to anticipate and deny any possible flaw – a goal both difficult to measure and expensive to achieve. Only automation can upend these economics.
The ultimate test of wits in computer security occurs through open competition on the global Capture the Flag (CTF) tournament circuit. In CTF contests, experts reverse engineer software, probe its weaknesses, search for deeply hidden flaws, and create securely patched replacements. How hard is this work? The recently discovered Heartbleed flaw in OpenSSL went undiscovered by automation for years before experts found it. The discovery of Heartbleed required the same type of reverse engineering excellence that CTFs are designed to hone.
What if a purpose-built computer could compete against the CTF circuit’s greatest experts? Such a computer could scour the billions of lines of code we depend on, find and fix the toughest flaws, upend the economics of computer security, and level the playing field between attackers and defenders.
Over the next two years, innovators worldwide are invited to answer the call of Cyber Grand Challenge. Over a series of competition events, the very first prototype CTF-playing systems will be constructed, competed, and selected.
In 2016, DARPA will hold the world’s first all-computer Capture the Flag tournament live on stage co-located with the DEF CON Conference in Las Vegas where automated systems may take the first steps towards a defensible, connected future.
Explore this site to learn more about Cyber Grand Challenge, and help us start a revolution.
If you’re interested in joining or forming a team, the authoritative rules are available directly from the DARPA Competitor Portal.
If you’re in a hurry, here are a few key points:
Cyber Grand Challenge (CGC) is a contest to build high-performance computers capable of playing in a Capture-the-Flag style cyber-security competition.
During all competition events, systems will compete on their own with no human involvement.
Scoring during all events is simple: systems will score points based on their ability to Evaluate software, maintain software Availability, and Secure software from the presence of harmful flaws.
During competition events, CGC systems will analyze custom compiled software (written in the C language family) built exclusively for the competition. This software collection (Challenge Binaries) will implement network services built on no currently existing code or protocol. This will challenge competitor systems to utilize general-purpose problem-solving techniques.
In 2015, CGC will hold its first qualifying event. A large collection of Challenge Binaries will be distributed by DARPA and systems around the world will race to automatically Secure & Evaluate it. Teams will transmit a secured version of the software collection back to DARPA along with inputs that locate flaws. After a successful DARPA site visit, top finishers receive $750,000 (see official Rules for details) and become eligible for the CGC final event.
In 2016, CGC will hold its final event co-located with the DEF CON Conference in Las Vegas, NV, where the competition will take place head to head on a network. Systems will autonomously create network defenses, deploy patches and mitigations, monitor the network, and evaluate the defenses of competitors.
The final competition event will be visualized, narrated, and streamed worldwide. CGC is open at no cost to teams around the world, and the top prize at the final competition event will be $2M.
The computer you’re using today is running core software, known as an Operating System, to provide basic services such as networking and file storage. Operating Systems grow like cities, with layers built on top of layers. To automatically analyze software running on any modern OS, a “complexity tax” must be paid to navigate the layers of old function, multiple methods, and layered interfaces.
DARPA built DECREE – the DARPA Experimental Cybersecurity Research Evaluation Environment – specifically for the Cyber Grand Challenge. DECREE is an Open Source operating system extension built exclusively for computer security research and experimentation. It includes several features to make it ideal for security experimentation, including:
Simplicity: Where any industry OS such as Linux will have hundreds of OS interface methods (“system calls”), DECREE has just seven, easing the work required to perform automatic identification of program input and output. DECREE also has its own executable format with a single entry point method to lower the barrier to entry for automation research.
Incompatibility: The software that runs in DECREE is custom-built for computer security research. DECREE programs have their own binary format, their own system call paradigm and share no code or protocols with the real world. For this reason, automation research done in DECREE is incompatible with the software that runs our world.
High determinism: Reproducibility is a key aspect of a sound scientific design. While perfect system state replay is impossible without a full system event recorder, DECREE has been designed to allow high determinism and reproducibility given a record of software and inputs. This reproducibility property has been built into DECREE from kernel modifications up through the entire platform stack.
DECREE is Open Source and will remain so in perpetuity as it is an experimentation ecosystem capable of uniting program analysis research, Capture-the-Flag competitions, and other applied research activities.
Please see the source code on GitHub Here
Leaving this site to enter darpa.mil
After reading this message, click OK to continue immediately or CANCEL to stay on the current page.
2. Ownership and Use. DARPA shall retain all ownership in the Site and all content generated by DARPA that is displayed on the Site. Other than your self-generated content on the Site, please do not modify or attempt to modify the Site in any manner or form. You agree that DARPA shall not be liable to you for any modification or discontinuance of the Site and DARPA may discontinue the Site and its services without any notice to you.
3. Compliance. You agree to not use any device, software, or routine to interfere with the proper working of the Site or which is intended to damage, interfere with, surreptitiously intercept, or expropriate any system, data, or personal information. You agree not to take any action (including without limitation, spamming) that imposes an unreasonable load on DARPA’s infrastructure. You agree not to take any actions which may undermine the integrity of our system or the services, such as: leaving feedback or ratings for yourself; using the Site in violation of local, state, national, or international law; attempting to upload files or content that contain material that violates the intellectual property rights of any third party. You are solely responsible for compliance with all applicable laws and regulations regarding your use of the services and the transfer of the technologies or information with which you are involved, including without limitation, import/export requirements, and DARPA expressly disclaims any liability or responsibility thereto.
4. Limitation of Liability and Disclaimer. DARPA SHALL NOT BE LIABLE TO YOU FOR ANY DAMAGES, CLAIMS, EXPENSES OR OTHER COSTS (INCLUDING, WITHOUT LIMITATION, REASONABLE ATTORNEYS’ FEES) YOU SUFFER OR INCUR AS A RESULT OF THIRD PARTY CLAIMS RELATING TO YOUR USE OF THE SERVICES. UNDER NO CIRCUMSTANCES WILL DARPA BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES OR FOR ANY DAMAGES REGARDLESS OF THE CAUSE. YOU AGREE THAT YOU WILL BE RESPONSIBLE FOR, AND AT DARPA'S REQUEST, DEFEND DARPA AND/OR FROM, THIRD PARTY CLAIMS ARISING OUT OF INFORMATION YOU PROVIDE FOR PUBLICATION OR ANY BREACH BY YOU OF THIS AGREEMENT.
5. Disputes and Governing Law. You agree that any dispute arising under this Site will be governed by the law of the United States at a federal court.
Please report suspected violations of any part of these terms to the Site Administrator.