0
0
0
0
0
0
0
0
0
0
0
0
:
0
0
0
0
0
0
0
0
:
0
0
0
0
0
0
0
0
:
0
0
0
0
0
0
0
0
ABOUT

With the coming advent of the Internet of Things, data insecurity is on track to become physical insecurity. The same code that powers today’s networked computers – code that is routinely compromised by attackers – is making its way into our vehicles, our smart homes, our augmented reality, and our connected culture. This future requires fundamentally new thinking about how networked devices will be defended.

Today’s attackers have the upper hand due to the problematic economics of computer security. Attackers have the concrete and inexpensive task of finding a single flaw to break a system. Defenders on the other hand are required to anticipate and deny any possible flaw – a goal both difficult to measure and expensive to achieve. Only automation can upend these economics.

The ultimate test of wits in computer security occurs through open competition on the global Capture the Flag (CTF) tournament circuit. In CTF contests, experts reverse engineer software, probe its weaknesses, search for deeply hidden flaws, and create securely patched replacements. How hard is this work? The recently discovered Heartbleed flaw in OpenSSL went undiscovered by automation for years before experts found it. The discovery of Heartbleed required the same type of reverse engineering excellence that CTFs are designed to hone.

What if a purpose built supercomputer could compete against the CTF circuit’s greatest experts? Such a computer could scour the billions of lines of code we depend on, find and fix the toughest flaws, upend the economics of computer security, and level the playing field between attackers and defenders.

Over the next two years, innovators worldwide are invited to answer the call of Cyber Grand Challenge. Over a series of competition events, the very first prototype CTF-playing systems will be constructed, competed, and selected.

In 2016, DARPA will hold the world’s first all-computer Capture the Flag tournament live on stage co-located with the DEF CON Conference in Las Vegas where automated systems may take the first steps towards a defensible, connected future.

Explore this site to learn more about Cyber Grand Challenge, and help us start a revolution.

The Internet revolution began on the desktop, and as computers grew up, malware did too. Malware can attack our data and our privacy, but it’s been stuck on the desktop for decades.

But the place of networked computers in our world is changing.
1994
THE INTERNET OF THINGS
What started out as a network of information appliances is turning into a global internetwork of smart devices.
From cars that can drive us to work on their own to devices that help us manage our homes, networked computers are now being taxed with the heavy lifting of civilization.
Computers are on track to mediate our reality, change the way we interact, and become part of our human organism.
This change raises a critical question: are today's networked computers safe enough to trust with this responsibility?
 
There are benefits and advantages to the connected society we are building. But we are building this connected society on top of a computing infrastructure we haven’t learned to secure.
 
There’s evidence to show that while digital insecurity is growing, it is also making its way into devices we can’t afford to doubt.
 
Some of the hardest problems in computer security are the basis of a global competition between experts: Capture the Flag. Cyber Grand Challenge has adopted this format, challenging fully automated systems to reverse engineer unknown software, then locate and heal its weaknesses in a live network competition.

Cyber Grand Challenge seeks to someday make software safety the expert domain of machines.
RULES

If you’re interested in joining or forming a team, the authoritative rules are available directly from the DARPA Competitor Portal.

If you’re in a hurry, here are a few key points:

Cyber Grand Challenge (CGC) is a contest to build high performance computers capable of playing in a Capture-the-Flag style cyber-security competition.

During all competition events, systems will compete on their own with no human involvement.

Scoring during all events is simple: systems will score points based on their ability to Evaluate software, maintain software Availability, and Secure software from the presence of harmful flaws.

During competition events, CGC systems will analyze custom compiled software (written in the C language family) built exclusively for the competition. This software collection (Challenge Binaries) will implement network services built on no currently existing code or protocol. This will challenge competitor systems to utilize general-purpose problem solving techniques.

In 2015, CGC will hold its first qualifying event. A large collection of Challenge Binaries will be distributed by DARPA and systems around the world will race to automatically Secure & Evaluate it. Teams will transmit a secured version of the software collection back to DARPA along with inputs that locate flaws. After completing a DARPA site visit, top finishers receive $750,000 (see official Rules for details) and become eligible for the CGC final event.

In 2016, CGC will hold its final event co-located with the DEF CON Conference in Las Vegas, NV where the competition will take place head to head on a network. Systems will autonomously create network defenses, deploy patches and mitigations, monitor the network, and evaluate the defenses of competitors.

The final competition event will be visualized, narrated, and streamed worldwide. CGC is open at no cost to teams around the world, and the top prize at the final competition event will be $2M.

READ MORE HERE
PLATFORM

The computer you’re using today is running core software, known as an Operating System, to provide basic services such as networking and file storage. Operating Systems grow like cities, with layers built on top of layers. To automatically analyze software running on any modern OS, a “complexity tax” must be paid to navigate the layers of old function, multiple methods, and layered interfaces.

DARPA built DECREE – the DARPA Experimental Cybersecurity Research Evaluation Environment – specifically for the Cyber Grand Challenge. DECREE is an Open Source operating system extension built exclusively for computer security research and experimentation. It includes several features to make it ideal for security experimentation, including:

Simplicity: Where any industry OS such as Linux will have hundreds of OS interface methods (“system calls”), DECREE has just seven, easing the work required to perform automatic identification of program input and output. DECREE also has its own executable format with a single entry point method to lower the barrier to entry for automation research.

Incompatibility: The software which runs in DECREE is custom-built for computer security research. DECREE programs have their own binary format, their own system call paradigm and share no code or protocols with the real world. For this reason, automation research done in DECREE is incompatible with the software that runs our world.

High determinism: Reproducibility is a key aspect of a sound scientific design. While perfect system state replay is impossible without a full system event recorder, DECREE has been designed to allow high determinism and reproducibility given a record of software and inputs. This reproducibility property has been built into DECREE from kernel modifications up through the entire platform stack.

DECREE is Open Source and will remain so in perpetuity as it is an experimentation ecosystem capable of uniting program analysis research, Capture-the-Flag competitions, and other applied research activities.

READ MORE HERE
MILESTONES
TBA
TBA
TBA
TBA
The qualification phase will include two scored events that will be similar to the Cyber Grand Challenge Qualification Event. Participation in Scored Events is optional and success in these events will not be part of CGC scoring. Each Scored Event is an opportunity for competitors to gain an understanding of the format, procedure, and scoring mechanism to be used during the CQE. These events are tentatively scheduled for December 2, 2014 and April 6, 2015.
1
?
?
1
9
?
?
9
7
?
?
7
0
?
?
0
Home
about
overview
rules
platform
milestones
Press
Contact
Register
DARPA