Qualifier Challenge - CROMU_00020

Original Versions

Known Vulnerabilities

  • CWE-121 - Stack-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 1.27
  • CodeJitsu: 0.01
  • TECHx: 0.01
  • CSDS: 0.01
  • Disekt: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Bryce Kerley" bk@cromulence.co

DARPA performer group

Cromulence (CROMU)


This service uses floating point and integer operations to set up internal state based on a provided seed. It then requires clients to make assertions about that state before allowing them access to an echo service with a buffer overrun vulnerability.

Feature List

This service forces clients to seed a RNG with 256 bits of entropy. With that entropy, it initializes a 4096 bit pool using mixed floating-point and integer operations on the same data. This is intended to only allow CRSes capable of correctly implementing x86 math. Beyond that, it's a simple stack buffer overrun vulnerability.


Standard Type-Length-Value protocol. The functions in messages.c and constants in messages.h are generated by tool/message_builder.rb based on data in tool/messages.csv .


After navigating the RNG state matching, an echo message with length over 80 bytes will overflow the buffer on the stack for messages to be echoed back. Patching this vulnerability requires adding a length check, removing the buffer altogether, or dynamically allocating an appropriately-sized buffer.

Generic class of vulnerability

Stack-based buffer overflow

CWE classification

CWE-121 Stack-based Buffer Overflow


The primary difficulty with this challenge is maintaining identical RNG state with mixed floating-point and integer operations.

Curated by Lunge Technology, LLC. Questions or comments? Send us email