Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <24243143-1A4D-4B71-A6C4-C8140C09A1CE@dwheeler.com>
Date: Fri, 16 Aug 2024 17:04:52 -0400
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: oss-security@...ts.openwall.com
Subject: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024)

All, FYI:

DARPA and ARPA-H are running a research competition called the "AI Cyber Challenge" (AIxCC).
Its goal is to create automated tools that find and *fix* vulnerabilities in software.
General information is here: <https://aicyberchallenge.com/>

The AIxCC semifinal competition was last week at DEF CON 32 (2024).
All competitors were given an identical set of Challenge Projects, which were
real-world OSS projects seeded with synthetic vulnerabilities.
The projects were Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika.
There were 7 winners; each winner received $2 million US as a reward, and those
teams will be allowed to compete in the finals at next year's DEF CON.

An official summary is here: <https://www.darpa.mil/news-events/2024-08-11>.
Some other interesting links related to the semifinals include:
<https://blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/>
<https://www.youtube.com/watch?v=sQKGWZvuLko>

One of the competing teams, Team Atlanta, even found a real-world bug in SQLite3.
This was reported to SQLite through their usual process; it's fixed in trunk. More info
about that specifically is here:
- <https://x.com/TeamAtlanta24/status/1822739301463130271> 
- <https://sqlite.org/forum/forumpost/81670d1056>

The tools must be released by next year as open source software, with an OSI-approved license,
as a condition for accepting prize money or competing in the final competition. Exact text is in the
"Open-Source Requirement" section in its rules <https://aicyberchallenge.com/rules/>.
The challenge problems were all based on real-world OSS, and the
hope is that in the long term such tools can automatically find & fix vulnerabilities in all
software including OSS.

Full disclosure: I work for the Open Source Security Foundation (OpenSSF) and I
have been working with DARPA & ARPA-H supporting this. That said, I thought others in this mailing
list would want to know about it. No research is *guaranteed* to produce something
leading to useful results, but I think this is a promising approach. We definitely could *use*
tools that automatically find & fix vulnerabilities, if they're good enough!!

--- David A. Wheeler


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.