Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKfVa+kDOncGMgh+otnTQoToBtT2bqH3paTWD6ie9wZ6DLfRYw@mail.gmail.com>
Date: Sat, 17 Aug 2024 17:32:30 -0300
From: Alfredo Ortega <ortegaalfredo@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: AI Cyber Challenge (AIxCC) semi-final results from
 DEF CON 32 (2024)

I found a real bug (OpenBSD IPv6 Multicast Forwarding Cache sysctl
kernel heap overflow) using Mistral-Medium almost 6 months ago:
https://github.com/ortegaalfredo/vulns-ai/blob/main/openbsd_mfc6_sysctl_overflow.txt

The simple tool that did it is also released as open-source here:

https://github.com/ortegaalfredo/autokaker

About to release the second version, and a vscode plugin, next week.


El vie, 16 ago 2024 a las 18:05, David A. Wheeler
(<dwheeler@...eeler.com>) escribió:
>
> All, FYI:
>
> DARPA and ARPA-H are running a research competition called the "AI Cyber Challenge" (AIxCC).
> Its goal is to create automated tools that find and *fix* vulnerabilities in software.
> General information is here: <https://aicyberchallenge.com/>
>
> The AIxCC semifinal competition was last week at DEF CON 32 (2024).
> All competitors were given an identical set of Challenge Projects, which were
> real-world OSS projects seeded with synthetic vulnerabilities.
> The projects were Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika.
> There were 7 winners; each winner received $2 million US as a reward, and those
> teams will be allowed to compete in the finals at next year's DEF CON.
>
> An official summary is here: <https://www.darpa.mil/news-events/2024-08-11>.
> Some other interesting links related to the semifinals include:
> <https://blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/>
> <https://www.youtube.com/watch?v=sQKGWZvuLko>
>
> One of the competing teams, Team Atlanta, even found a real-world bug in SQLite3.
> This was reported to SQLite through their usual process; it's fixed in trunk. More info
> about that specifically is here:
> - <https://x.com/TeamAtlanta24/status/1822739301463130271>
> - <https://sqlite.org/forum/forumpost/81670d1056>
>
> The tools must be released by next year as open source software, with an OSI-approved license,
> as a condition for accepting prize money or competing in the final competition. Exact text is in the
> "Open-Source Requirement" section in its rules <https://aicyberchallenge.com/rules/>.
> The challenge problems were all based on real-world OSS, and the
> hope is that in the long term such tools can automatically find & fix vulnerabilities in all
> software including OSS.
>
> Full disclosure: I work for the Open Source Security Foundation (OpenSSF) and I
> have been working with DARPA & ARPA-H supporting this. That said, I thought others in this mailing
> list would want to know about it. No research is *guaranteed* to produce something
> leading to useful results, but I think this is a promising approach. We definitely could *use*
> tools that automatically find & fix vulnerabilities, if they're good enough!!
>
> --- David A. Wheeler
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.