The DOD Defense Advanced Research Projects Agency (DARPA) published a notice in Monday’s Federal Register (78 FR 79411-79412; available on-line Saturday) announcing a competition under the America Competes Act (15 USC 3719). The purpose of the DARPA Cyber Grand Challenge (CGE) competition is to develop autonomous cyber-defense systems that will automate the detection of novel program flaws in networked systems and to then automatically formulate and deploy effective defenses for those flaws.
The challenge will take place on commercial off-the-shelf (COTS) IT operating systems and software that would be used by DOD, industry and the Defense Industrial Base. According to the competition rules (pg 5), DARPA is expecting that competitors will use existing automated program analysis capabilities to detect the program flaws. Those capabilities would include:
• Dynamic Analysis;
• Static Analysis;
• Symbolic Execution;
• Constraint Solving;
• Data Flow Tracking;
• Fuzz Testing; and
• Related technologies.
There would be two tracks in the competition; a Proposal Track and an Open Entry Track. Organizations may submit a research proposal based upon a Broad Agency Announcement issued last month. Or teams may compete under a less structured and unfunded open entry track.
Competitors from the open track will eligible for prizes for winning CGE Qualifying Events (CQE; $750,00) and teams from either track in the CGE Final Event (CFE) will be eligible for prizes ($2 Million, $1 Million and $750,000 for 1st, 2nd and 3rd place respectively).
There will be four CQE addressing the following areas of excellence (AoE; pg 6 of the Rules):
• Autonomous Analysis: The automated comprehension of computer software (e.g., CBs) provided through a Competition Framework.
• Autonomous Patching: The automatic patching of security flaws in CBs provided through a Competition Framework.
• Autonomous Vulnerability Scanning: The ability to construct input which when transmitted over a network provides proof of the existence of flaws in CBs operated by competitors. These inputs shall be regarded as Proofs of Vulnerability.
• Autonomous Service Resiliency: The ability to maintain the availability and intended function of CBs provided through a Competition Framework.
The CQE are currently scheduled to be held on June 3, 2015. This will be preceded by two scored events that will not be counted in the CQE evaluations. Those practice events will be held on December 2nd, 2014 and April 6th, 2015.
The final CFE will include evaluations of the same AoE and a combined Autonomous Network Defense; the ability to discover and mitigate security flaws in CBs from the vantage point of a network security device. The CFE will be held on July 17th, 2016.
More information on registration and the competition is available on the CGE web site.