By Jeff Diecks
Competitors’ Cyber Reasoning Systems proved up to the AIxCC Challenge at DEF CON 32 this month, with seven teams advancing to the finals of the two-year competition aimed at finding and fixing vulnerabilities in critical software projects.
The AI Cyber Challenge (AIxCC), led by Defense Advanced Research Projects Agency (DARPA) in collaboration with the Advanced Research Projects Agency for Health (ARPA-H), aims to secure open source software through AI. For the AIxCC Semifinal Competition, teams aimed to develop Cyber Reasoning Systems capable of automatically processing a set of Challenge Projects. The challenge sought to determine whether competitors could identify and remediate security defects intentionally inserted into copies of popular open source projects such as Jenkins, the Linux kernel, Nginx, SQLite3, and Apache Tika.
In total, competitors’ systems discovered 22 unique synthetic vulnerabilities in the Challenge Projects, and of those, patched 15. Competitors’ systems identified 11 unique patches for C-based challenges and four unique patches for Java-based challenges. Competitors’ systems also found one real-world bug in SQLite3, which has been responsibly disclosed according to SQLite3’s bug reporting guidelines.
The semifinal results showed the real-world potential of the CRSs. Open source project maintainers do not lack for things that can fill up a backlog with potential issues needing investigation. The CRSs creating 15 successful patches along with reports on how to recreate the issues demonstrates the true potential value to open source projects: tools that can identify and resolve security defects with minimal toil for maintainers.
OpenSSF’s role as a challenge advisor to the AIxCC is to ensure the competition provides solutions that benefit open source culture and community. At the conclusion of the challenge, the systems from winning competitors will be open sourced as a technical initiative of the OpenSSF.
As the competition shifts to the finals, the AIxCC team will consider a new set of challenge projects across a wider range of critical software projects. OpenSSF will support the competition in the year ahead by serving as the liaison between open source community members and the AIxCC program.
If you are a maintainer or developer of an open source project and are interested in it being considered as a challenge for the finals, please reach out to OpenSSF and we can assist in coordinating with the AIxCC team.
About the Author
Jeff Diecks is the Technical Program Manager for the AI Cyber Challenge (AIxCC) at the Open Source Security Foundation (OpenSSF). A participant in open source since 1999, he’s delivered digital products and applications for dozens of universities, six professional sports leagues, state governments, global media companies, non-profits, and corporate clients.