Original Versions

• Author-supplied POVs: POV1
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-467 - Use of sizeof() on a Pointer Type
CWEs are listed as indicated by the challenge author.

Scores

• ForAllSecure: 1.78
• CSDS: 1.58
• TECHx: 1.42
• TrailofBits: 0.31
• CodeJitsu: 0.0
• Disekt: 0.0
• Shellphish: 0.0
• FuzzBOMB: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• DeepRed - CB1
• Disekt - CB1
• ForAllSecure - CB1
• FuzzBOMB - CB1
• Shellphish - CB1
• TECHx - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• ForAllSecure: 100.0% - CB1
• TECHx: 100.0% - CB1
• CSDS: 100.0% - CB1
• TrailofBits: 100.0% - CB1
• DeepRed: 100.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

Author Information

“James Connor” jymbo@cromulence.co

DARPA performer group

Cromulence (CROMU)

Description

This service performs routing across the map information provided. A user shell is provided to allow input of map data, and route requests

Feature List

The map supports roads, addresses, and intersections. Intersections are constucted by selecting two roads to join. Addresses are numbers on road, between two intersections. The map can be printed and routes from address to address can be resolved.

Vulnerability

Routing is performed by traversing intersections on a discovered road to discover additional connected roads. As unique roads(nodes) are discovered, they are pushed to a list stored in a the data[4080] element of a linked list node. The size limit for the number of traversals which can be stored in the data element is checked against sizeof(pointer), rather than sizeof(element), resulting in a heap overwrite.

Generic class of vulnerability

Heap overflow

CWE classification

CWE-467

Challenges

Different elements are stored in common data containers, creating a challenge for inferring data types. Also, a CRS must created a valid, sufficiently deep graph to reach the vulnerable route function.