Proving once again that Minecraft exploits are fundamentally more interesting than the ones targeting software people actually care about (and definitely being better for civil society):
Some professional news: I’ve recently become a
@DARPA
Program Manager. I’m incredibly excited to work with the research community to explore the cutting edge in computer security!
I’m excited to announce the AI Cyber Challenge, a major, two-year
@DARPA
competition challenging the best and the brightest in cybersecurity and AI to secure the systems on which all American rely.
Over the years Sophia became one of my closest friends. I’m not at the point in grief to say words that would come close to doing her justice. She touched so many. I love her and miss her.
Some personal? professional? news: I'm extremely excited to set sail with the Nautilus Institute as we embark on our voyage as the newest organizers of
@defcon
CTF.
Great blog post on exploiting Qualcomm Secure Execution Environment (QSEE) on Android
The discussion of mitigations and general attack pattern pairs nicely with this ‘17 NDSS paper “BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments”
New blog post :)
A pretty unique Android vulnerability I found, which allowed me to exploit the kernel by using the TrustZone. This helped me bypass all kernel security mitigations and create a super reliable exploit.
Thanks to all of the
@defcon
CTF players, not just for all of your hard work but for your patience & understanding as we worked through our infra issues, which were significant this year. I’m so grateful to the entire CTF community & looking forward to a smoother CTF next year.
A few links for getting into CTF:
from
@shellphish
has lectures and challenges with great interactive environments—a fantastic set of resources.
In addition, highly recommend from
@PlaidCTF
and from
@RPISEC
I asked DEF CON CTF organizer Perri Adams about the make-up of a good capture-the-flag player and for recommendations for someone now getting started
@perribus
@edbutler2
@jonathandata1
Hey, Ed, the folks in your replies are right. The app is absolutely suspect but Jonathan’s claims go far beyond anything there’s evidence for and he’s demonstrated that he doesn’t understand the technology. Jonathan is a known charlatan to computer security experts.
Grabbed a copy of Rootkits and Bootkits from
@matrosov
’s talk at
#LABScon22
but only had it signed by 2/3 authors. Luckily, I know where to find
@sergeybratus
…
I don’t understand how people code live on video (eg
@gamozolabs
) I’ve reintroduced the same bug three times in the last two days and each instance took 20 minutes of debugging to find out I’d…unfixed the same thing as before
I’m hoping to follow in the footsteps of PMs like
@dotMudge
who created Cyber Fast Track, Mike Walker who ran DARPA’s Cyber Grand Challenge, Dustin Fraze who started DARPA CHESS, & others. I have so much respect & gratitude for them for making the research I’d like to do possible
I’m excited to announce the AI Cyber Challenge, a major, two-year
@DARPA
competition challenging the best and the brightest in cybersecurity and AI to secure the systems on which all American rely.
“The Biden-Harris Administration today launched a major two-year competition that will use artificial intelligence (AI) to protect the United States’ most important software, such as code that helps run the internet and our critical infrastructure.”
I’m excited to announce the AI Cyber Challenge, a major, two-year
@DARPA
competition challenging the best and the brightest in cybersecurity and AI to secure the systems on which all American rely.
DEF CON CTF kicks of at 11! Stop by the CTF room to see the World Series of hacking competitions. The 15 teams you see on the floor qualified out of 1200 teams from around the world & represent some of the best of the best at binary exploitation, reversing, web hacking, and more.
Congrats to all the players who solved Crypto Chall and to everyone who worked so hard on it! It got released early so I had time to writeup the solution. Source code and my exploit are also in the repo:
My baby, now released to the world.
Nota bene, this is a binary exploitation & cryptography challenge and is in no way associated with this so-called 'cryptocurrency' fad
With just over 6 hours left, all of the challenges for this year's
@defcon
Capture the Flag Qualifying event have now been released! After 42 hours of hacking, we wish teams luck in their final push to make it to Las Vegas in August.
The role of DARPA PM is this unique, unparalleled opportunity in which you’re afforded a fixed tenure (3-5 years) to create and direct research programs that push the bounds of current science. It’s quite frankly one of the coolest positions I’ll ever have.
This is why the AIxCC scoring algorithm penalizes false positives and requires teams submit proof of vulnerability in the form of inputs that exercise the flawed code and demonstrate the issue.
Coming up next on the pod: The incomparable Perri Adams (
@perribus
) on the value of CTFs and DARPA's new $20M AI Cyber Challenge
#SecurityConversations
#AIxCC
A snippet 👇
Today I’ll be at IEEE Security and Privacy
@IEEESSP
with Andrew Carney from
@ARPAHealth
to discuss AIxCC. There’s so much fantastic research being presented on how AI can be used for security, we’re excited to join the fun 🎉
“LAS VEGAS, Aug 17 (Reuters) - A team of hackers from two U.S. universities won the "Capture the Flag" championship, a contest seen as the "Olympics of hacking," which draws together some of the world's best in the field.”
Nice article about
@defcon
CTF
AIxCC couldn’t have found better conference friends than the wonderful folks
@defcon
So many more details on ~everything~ coming soon!
(pc
@Grifter801
)
I'm know I'm late but Chrome's MiraclePtr effort is really impressive - seems like it's going to kill a significant swathe of sandbox UAFs. The huge codebase rewrite & the performance impact show that some places are actually willing to make tradeoffs for security
Today, I signed an Executive Order that is the most significant action any government has ever taken on AI safety, security, and trust.
I am determined to do everything in my power to promote and demand responsible innovation.
It was a pleasure to join the Open Source Software Summit this week and speak about the AI Cyber Challenge, and how emerging technologies like AI can be used to combat cybersecurity threats.
For the latest on AIxCC:
The open-source ecosystem forms the bedrock of modern technology. As part of its mission to create breakthrough technologies & capabilities for national security, DARPA will continue to invest in efforts like AIxCC and OS3I that will help defend and secure OSS -
@perribus
,
@DARPA
All of the
@livectf
broadcasts from this year's
@defcon
CTF Qualifiers are up and can be watched here:
Great way for beginners to see how CTF players compete, with challenges easier than the ones usually found in DEF CON CTF
And that's a wrap! All LiveCTF challenges for the DEF CON CTF Quals 2023 are complete, thanks for joining us this year.
Join our final broadcast where we will recap all the results:
You can watch the AI Cyber Challenge Update here! Lots of fun stuff, from an additional $4 million in Semifinal Prizes to the first release of our Scoring Algorithm and Exemplar Challenge -- and it wouldn't be R&D without some schedule changes too ;)
In which Brandon graces us with his transcendent 🤯 Rust skills 🦀 by leveraging the power of Linux Kernel technology 🐧 and AI 🤖 to solve
@h0mbre_
’s parsing question by pulling down a copy of the image he tweeted and OCRing 📖 it as Middle English ⚔️
In this masterpiece I demonstrate the ability to use a combination of machine learning, custom string parsing, modern web 2.0, TLS and SSL, as well as bleeding-edge languages like Rust and JSON to solve a security research problem. With the ML capabilities this can easily scale.
My baby, now released to the world.
Nota bene, this is a binary exploitation & cryptography challenge and is in no way associated with this so-called 'cryptocurrency' fad
Just arrived at
@labscon_io
where it’s a balmy 96°F. Excited to sit down with
@KimZetter
tomorrow morning to chat about some equally hot topics: AI, cyber defense, and incentivizing innovation.
My writeup for smcauth, a great (albeit very annoying at times) crypto challenge for DEF CON CTF Qualifiers 2018. Thanks
@oooverflow
for the great competition!
@RPISEC
#DEFCONQUALS2018
Great question — we started AIxCC with the hypothesis that AI would be game changing in finding and fixing vulnerabilities in programs, not necessarily as a standalone tool but especially when strategically combined with the state of the art in program analysis.
i know its a competition but has anyone published even an outline of an AIxCC strategy? are you worried that the competitors are just going to use normal guided fuzzing and symbex with some decorative AI sprinkled on top
@perribus
?
"The bug is working, the exploit is flying" -
@michaeljpizza
"Are you sure?"
"It's, uh, taxiing right now. But about to takeoff".
In the final stretch of
@defcon
CTF challenge development
CTF was my gateway drug into computer security… so I’d be careful with those links ;)
And what I told Ryan is true — when I joined
@rpisec
in college I didn’t what x86 was & they refused to give me a disassembler until I wrote a buffer overflow exploit with objdump -d -M intel
Coming up next on the pod: The incomparable Perri Adams (
@perribus
) on the value of CTFs and DARPA's new $20M AI Cyber Challenge
#SecurityConversations
#AIxCC
A snippet 👇
@RPISEC
One last resource—I have a detailed heap exploitation tutorial (designed for beginners!) that’s Kesha-themed
The beginning of the pandemic was a different era; we were all discovering Zoom happy hours & jigsaw puzzles… I had a lot of time for bad puns
We are thrilled by the enthusiastic and thoughtful feedback we received to the
#AIxCC
Request for Comments on our Scoring Algorithm & Challenge Design — creating a challenge that truly drives the state of the art & produces real world relevance is hard, and we can’t do it alone…
In the run up to the Dec 1 Open Track opening, we’re putting out a Request for Memes (RFM) — pls dm me or reply with you best AIxCC related meme (exemplar attached, courtesy of
@adamdoupe
)
Mark your calendars for December 1st when our Open Track opens for registration. We’ll be releasing additional challenge information, including a draft Scoring Algorithm as a Request for Comments (RFC).
More details to come!
Back by popular demand! We so appreciated the positive feedback on ncuts, our
@defcon
CTF Quals challenge in 2022 w/ 24,000 compiled binaries, that we spent the past year painstakingly crafting a new collection of binary executables for your enjoyment.
But we’re here to do science — if the systems produced under AIxCC don’t move the needle, if some of the best researchers in the world can’t use AI as a force multiplier to find and fix bugs automatically at scale, that’s a major research result in and of itself…
Wow, this looks like a big step forward for Binary Ninja! Congrats to
@vector35
, I'm looking forward to trying it out (especially the new Pseudo-C decompiler)!
All — we’re delaying this release until the week of Dec 11. in order to package together even more technical challenge details and additional AIxCC updates — a gift to you all just in time for the holidays 🎁
We appreciate your patience — much more is coming soon!
Mark your calendars for December 1st when our Open Track opens for registration. We’ll be releasing additional challenge information, including a draft Scoring Algorithm as a Request for Comments (RFC).
More details to come!
DEF CON CTF Finals begins this morning! In May, 12 teams of the world’s top hackers qualified to compete in the Olympics of Hacking
@defcon
31. Come watch the best of the best hack eachother over the next 56 hours on the CTF floor with us
@Nautilus_CTF
As usual all slides from
@5aelo
and
@itszn13
are gold if you're into the JS/JIT engines game ;)
It gonna be hard for people not at
@offensive_con
to wait for the video replay :p
Apparently my parents’ health insurance stopped covering me a month ago without me knowing and all I can think about it that Simpson’s episode where Homer realizes he’s not insured and starts almost dying everywhere he goes
DEF CON CTF Finals begins this morning! In May, 12 teams of the world’s top hackers qualified to compete in the Olympics of Hacking
@defcon
31. Come watch the best of the best hack eachother over the next 56 hours on the CTF floor with us
@Nautilus_CTF
I'm particularly excited about the initial release of the
#AIxCC
Scoring Algorithm. The team put so much thought into developing an approach that would be fair, real-world relevant, and drive innovation forward.
"The bug is working, the exploit is flying" -
@michaeljpizza
"Are you sure?"
"It's, uh, taxiing right now. But about to takeoff".
In the final stretch of
@defcon
CTF challenge development
When I bought a copy of The New Yorker today the cashier actually said to me “oh I assumed you were looking at the celebrity magazines” like come on buddy you aren’t supposed to admit to your sexist assumptions that’s not how this works
Why the hell does RealWorldCTF have a link to an official State Dept. Visa application site as one of their crypto challenges. Not touching that with a 10 foot pole
Healthcare infrastructure is critical to saving lives. I’m incredibly excited for how this partnership will enable AIxCC to ensure the cutting edge in cybersecurity is used to keep Americans safe and healthy. Welcome
@ARPA_H
!
NEW: We’re partnering w/
@DARPA
on the Artificial Intelligence Cyber Challenge (AIxCC) to safeguard the nation’s health care infrastructure from cyberattacks.
AIxCC will assemble the best in AI & cybersecurity to defend software on which Americans rely.
I'd also like to thank
@oooverflow
for the last four years. It's going to be a hard act to follow, and I can't tell you how much I've enjoyed playing these last four years.
Our Senior Advisor, Lisa Einstein, took the stage at the IBM Security Summit for a dynamic panel of women in
#cybersecurity
and
#AI
, sharing insights into how we use innovative strategies to mitigate risks in AI security and protection.
#IBMSSNA
CONFESSION: I once Tillerson-ed an ex by breaking up with him via changing my relationship status to “Single” on Facebook.
The day before Valentine’s day.
Not my best moment.
Come for the BEHIND THE SCENES interview with me where we REVEAL the culprit behind the infrastructure difficulties at the beginning of this year's
@defcon
CTF Qualifiers
Stay to watch as some of the fastest hackers in the world compete to solve our second
@livectf
challenge!