Re: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024)

[Alfredo Ortega <ortegaalfredo () gmail com>]

I found a real bug (OpenBSD IPv6 Multicast Forwarding Cache sysctl
kernel heap overflow) using Mistral-Medium almost 6 months ago:
https://github.com/ortegaalfredo/vulns-ai/blob/main/openbsd_mfc6_sysctl_overflow.txt

The simple tool that did it is also released as open-source here:

https://github.com/ortegaalfredo/autokaker

About to release the second version, and a vscode plugin, next week.


El vie, 16 ago 2024 a las 18:05, David A. Wheeler
(<dwheeler () dwheeler com>) escribió:
> All, FYI:
>
> DARPA and ARPA-H are running a research competition called the "AI Cyber Challenge" (AIxCC).
> Its goal is to create automated tools that find and *fix* vulnerabilities in software.
> General information is here: <https://aicyberchallenge.com/>
>
> The AIxCC semifinal competition was last week at DEF CON 32 (2024).
> All competitors were given an identical set of Challenge Projects, which were
> real-world OSS projects seeded with synthetic vulnerabilities.
> The projects were Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika.
> There were 7 winners; each winner received $2 million US as a reward, and those
> teams will be allowed to compete in the finals at next year's DEF CON.
>
> An official summary is here: <https://www.darpa.mil/news-events/2024-08-11>.
> Some other interesting links related to the semifinals include:
> <https://blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/>
> <https://www.youtube.com/watch?v=sQKGWZvuLko>
>
> One of the competing teams, Team Atlanta, even found a real-world bug in SQLite3.
> This was reported to SQLite through their usual process; it's fixed in trunk. More info
> about that specifically is here:
> - <https://x.com/TeamAtlanta24/status/1822739301463130271>
> - <https://sqlite.org/forum/forumpost/81670d1056>
>
> The tools must be released by next year as open source software, with an OSI-approved license,
> as a condition for accepting prize money or competing in the final competition. Exact text is in the
> "Open-Source Requirement" section in its rules <https://aicyberchallenge.com/rules/>.
> The challenge problems were all based on real-world OSS, and the
> hope is that in the long term such tools can automatically find & fix vulnerabilities in all
> software including OSS.
>
> Full disclosure: I work for the Open Source Security Foundation (OpenSSF) and I
> have been working with DARPA & ARPA-H supporting this. That said, I thought others in this mailing
> list would want to know about it. No research is *guaranteed* to produce something
> leading to useful results, but I think this is a promising approach. We definitely could *use*
> tools that automatically find & fix vulnerabilities, if they're good enough!!
>
> --- David A. Wheeler