The DOD Defense Advanced Research Projects Agency (DARPA)
published a notice in Monday’s Federal Register (78 FR
79411-79412; available on-line Saturday) announcing a competition under the
America Competes Act (15
USC 3719). The purpose of the DARPA Cyber Grand
Challenge (CGE) competition is to develop autonomous cyber-defense systems
that will automate the detection of novel program flaws in networked systems
and to then automatically formulate and deploy effective defenses for those
flaws.
The challenge will take place on commercial off-the-shelf
(COTS) IT operating systems and software that would be used by DOD, industry
and the Defense Industrial Base. According to the competition
rules (pg 5), DARPA is expecting that competitors will use existing automated
program analysis capabilities to detect the program flaws. Those capabilities
would include:
• Dynamic Analysis;
• Static Analysis;
• Symbolic Execution;
• Constraint Solving;
• Data Flow Tracking;
• Fuzz Testing; and
• Related technologies.
There would be two tracks in the competition; a Proposal
Track and an Open Entry Track. Organizations may submit a research proposal
based upon a Broad
Agency Announcement issued last month. Or teams may compete under a less
structured and unfunded open entry track.
Competitors from the open track will eligible for prizes
for winning CGE Qualifying Events (CQE; $750,00) and teams from either track in
the CGE Final Event (CFE) will be eligible for prizes ($2 Million, $1 Million
and $750,000 for 1st, 2nd and 3rd place
respectively).
There will be four CQE addressing the following areas of
excellence (AoE; pg 6 of the Rules):
• Autonomous Analysis: The
automated comprehension of computer software (e.g., CBs) provided through a Competition
Framework.
• Autonomous Patching: The
automatic patching of security flaws in CBs provided through a Competition Framework.
• Autonomous Vulnerability
Scanning: The ability to construct input which when transmitted over a network
provides proof of the existence of flaws in CBs operated by competitors. These
inputs shall be regarded as Proofs of Vulnerability.
• Autonomous Service Resiliency:
The ability to maintain the availability and intended function of CBs provided
through a Competition Framework.
The CQE are currently scheduled to be held on June 3, 2015.
This will be preceded by two scored events that will not be counted in the CQE
evaluations. Those practice events will be held on December 2nd,
2014 and April 6th, 2015.
The final CFE will include evaluations of the same AoE and a
combined Autonomous Network Defense; the ability to discover and mitigate
security flaws in CBs from the vantage point of a network security device. The
CFE will be held on July 17th, 2016.
More information on registration and the competition is
available on the CGE web site.
Posts
No comments:
Post a Comment