Qualifier Challenge - KPRCA_00044

Original Versions

Known Vulnerabilities

  • CWE-788 - Access of Memory Location After End of Buffer
  • CWEs are listed as indicated by the challenge author.


  • CodeJitsu: 0.0
  • Disekt: 0.0
  • ForAllSecure: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • Shellphish - CB1
  • TECHx - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • TECHx: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)


This service implements a simple text generator based on a Markov process. The initial states are built using static text from the great essayist Jonathan Swift. Additional states can be introduced by training, during which the service will generate text using the current states and an included dictionary, and if the user approves, the text will be added to the states.

Feature List

As an ultra-secure service, attempts to exploit this service will fail because of its novel function pointer protection (FUNpro). Additionally, the text generation uses an advanced RNG that makes use of the latest in processor technologies (SSE2).

The available commands are:

  • Reprotect - FUNpro!
  • Add word - add a word to the internal dictionary
  • Sort words - sort the internal dictionary
  • Search words - search through the dictionary for a word or partial word
  • Generate text - generates text randomly using the current states
  • Training - add new states via a machine learning procedure


The vulnerability is a buffer overflow of an array of strings in the .data section (words). The binary fails to check the length of the array when adding new strings to the end of the array (main.c:421). By overflowing the array, the attack is able to overwrite data used by malloc and eventually the secret_key which is used to unobfuscate function pointers.

Generic class of vulnerability

Buffer overflow

CWE classification

CWE-788: Access of Memory Location After End of Buffer


This challenge set implements a service with a minimum of direct function calls. Instead, almost all of the function calls from main.c are indirect calls through an array of obfuscated function pointers. These function pointers are obfuscated at compile time by adding a constant value to the pointers, and can be reobfuscated at run-time by the user. This will pose a challenge from static analysis of the challenge binary.

Additionally, in order to trigger the buffer overflow the attack must be able to add many valid words to the dictionary. When adding a new word, the service checks that the word does not already exist in the dictionary and that the word partially matches another word in the dictionary. This will post a challenge for trivial fuzzing attempts, but should be easy for symbolic execution. However, if incorrect paths are taken, the solver will need to handle SSE and SSE2 instructions.

Curated by Lunge Technology, LLC. Questions or comments? Send us email