Alexander Culafi
Open source components continue to cause huge problems for security practitioners, and AIxCC was created to determine whether automation could help close the gap.
At DEF CON 33, DARPA announced the winners of its AI Cyber Challenge (AIxCC), a two-year program in which teams were tasked with using AI technology to secure the open source technology underlying critical infrastructure. Teams developed "cyber reasoning systems" (CRSes) to remediate vulnerabilities during a series of challenges.
In the Final Competition, teams were tasked with using their CRSes to identify and generate patches for synthetic vulnerabilities across 54 million lines of code. CRSes discovered 54 unique synthetic vulnerabilities in the final challenges of the competition, patching 43. And because the code was based on real software, teams discovered 18 additional real, non-synthetic vulnerabilities that were disclosed to open source project maintainers. Teams provided 11 patches for real vulnerabilities during the competition.
According to a press release announcing the winners, competition tasks cost an average of $152, compared to the hundreds or thousands of dollars bug bounties can cost.
The winners were graded based on a system that rated CRS performance based on discovery speed, bug report analysis, patch generation speed, and patch quality. The winners were Team Atlanta, Trail of Bits, and Theori; the teams will receive $4 million, $3 million, and $1.5 million respectively.
No comments:
Post a Comment