|
Message-Id: <24243143-1A4D-4B71-A6C4-C8140C09A1CE@dwheeler.com> Date: Fri, 16 Aug 2024 17:04:52 -0400 From: "David A. Wheeler" <dwheeler@...eeler.com> To: oss-security@...ts.openwall.com Subject: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) All, FYI: DARPA and ARPA-H are running a research competition called the "AI Cyber Challenge" (AIxCC). Its goal is to create automated tools that find and *fix* vulnerabilities in software. General information is here: <https://aicyberchallenge.com/> The AIxCC semifinal competition was last week at DEF CON 32 (2024). All competitors were given an identical set of Challenge Projects, which were real-world OSS projects seeded with synthetic vulnerabilities. The projects were Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika. There were 7 winners; each winner received $2 million US as a reward, and those teams will be allowed to compete in the finals at next year's DEF CON. An official summary is here: <https://www.darpa.mil/news-events/2024-08-11>. Some other interesting links related to the semifinals include: <https://blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/> <https://www.youtube.com/watch?v=sQKGWZvuLko> One of the competing teams, Team Atlanta, even found a real-world bug in SQLite3. This was reported to SQLite through their usual process; it's fixed in trunk. More info about that specifically is here: - <https://x.com/TeamAtlanta24/status/1822739301463130271> - <https://sqlite.org/forum/forumpost/81670d1056> The tools must be released by next year as open source software, with an OSI-approved license, as a condition for accepting prize money or competing in the final competition. Exact text is in the "Open-Source Requirement" section in its rules <https://aicyberchallenge.com/rules/>. The challenge problems were all based on real-world OSS, and the hope is that in the long term such tools can automatically find & fix vulnerabilities in all software including OSS. Full disclosure: I work for the Open Source Security Foundation (OpenSSF) and I have been working with DARPA & ARPA-H supporting this. That said, I thought others in this mailing list would want to know about it. No research is *guaranteed* to produce something leading to useful results, but I think this is a promising approach. We definitely could *use* tools that automatically find & fix vulnerabilities, if they're good enough!! --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.