Qualifier Challenge - KPRCA_00039

Original Versions

Known Vulnerabilities

  • CWE-134 - Use of Externally-Controlled Format String
  • CWEs are listed as indicated by the challenge author.


  • CodeJitsu: 0.32
  • Disekt: 0.0
  • ForAllSecure: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • CSDS: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)


This service provides the user with a way to play a game against a simple AI. The user begins by entering their name and the game begins. The user then inputs coordinates on a game board and if their move is valid a stone of their team color is placed on the board. The AI then performs a move and the game continues like this until one player runs out of stones of a maximum number of moves has occurred.

Feature List

The user is presented with a visual printout of the state of the game as the game progresses which include board state, team scores, and how many game ticks have occurred. If the user attempts an invalid move the game is not drawn but instead they are simply prompted for a new move. The rules of the game are quite simple. An user can only place a stone on an empty point on the board. A stone is captured if it can not be connected to a stone of its same color. Score is a combination of captures and stones on the board. When the game terminates the user is notified whether they were a winner or a loser.


The vulnerability is a simple printf vulnerability, however for the vulnerability to be triggered the game must reach the end. At that point, the name the user supplied is passed directly to printf as the format string.

Generic class of vulnerability

Arbitrary format string

CWE classification

CWE-134: Uncontrolled Format Sting


The service acts primary to test the strength of the competitor's ability to reason through fairly complex logic quickly. The competitor must be able to generate enough valid moves against an AI to successful finish the game in a reasonable amount of time to be successful against this service.

Curated by Lunge Technology, LLC. Questions or comments? Send us email