Qualifier Challenge - KPRCA_00050

Original Versions

Known Vulnerabilities

  • CWE-822 - Untrusted Pointer Dereference
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 2.8
  • Disekt: 0.8
  • CodeJitsu: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 71.4% - CB1
  • TECHx: 57.1% - CB1
  • ForAllSecure: 42.9% - CB1
  • Disekt: 14.3% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)


TVS is a vault service with a time lock. Unless the current time is in the allowed range, users are not able to retrieve items from the vault. At any time, a user is allowed to store new items or list the item IDs that are in the vault. In order to keep the current time accurate, the vault service synchronizes its time with a remote server.

Feature List

  • Support for up to 500 vault items
  • Fast O(1) retrieval of vault items
  • Time and Vault Services are multiplexed for performance
  • Protection to prevent attackers from changing time
  • Software attestation via fixed addresses


There are two vulnerabilities, but both are due to vault IDs being used a locker_t pointers. This gives an attacker the ability to access or modify to arbitrary memory locations. Patching the vulnerability requires verifying that the pointer the attacker provides is proper, e.g. points to an allocated element in the contents array and is properly aligned.

A third vulnerability also exists in the interaction between main and realloc. In some implementations of realloc, a realloc with a length of 0 can return NULL. The logic in main expects this function to return NULL only if there is an error, so it will try to continue to use the pointer that has just been freed by realloc resulting in a double free.

Generic class of vulnerability

Untrusted Pointer Dereference

CWE classification

CWE-822: Untrusted Pointer Dereference


Triggering the vulnerability to modify memory locations is easy, while triggering the vulnerability to access memory locations is difficult because it requires unlocking the vault. Additionally, the IO is obfuscated using XOR which makes fuzzing more challenging, e.g. changing a single byte or bit cascades into the following bytes.

Curated by Lunge Technology, LLC. Questions or comments? Send us email