DARPA Cyber Grand Challenge Final Event Archive

Qualifier Challenge - YAN01_00009

Original Versions

Author-supplied POVs: POV1, POV2
Browse Source

POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

CWE-134 - Use of Externally-Controlled Format String

CWEs are listed as indicated by the challenge author.

Scores

DeepRed: 0.38
CSDS: 0.23
CodeJitsu: 0.0
Disekt: 0.0
ForAllSecure: 0.0
TECHx: 0.0
Shellphish: 0.0
FuzzBOMB: 0.0
TrailofBits: 0.0

The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

CodeJitsu - CB1, CB2, CB3
CSDS - CB1, CB2, CB3
DeepRed - CB1, CB2, CB3
Disekt - CB1, CB2, CB3
ForAllSecure - CB1, CB2, CB3
FuzzBOMB - CB1, CB2, CB3
Shellphish - CB1, CB2, CB3
TECHx - CB1, CB2, CB3
TrailofBits - CB1, CB2, CB3

Proved a POV in reference challenge

POVs in CQE must follow the POV markup specification.

Defense against reference POVs

ForAllSecure: 100.0% - CB1, CB2, CB3
TrailofBits: 100.0% - CB1, CB2, CB3
CodeJitsu: 100.0% - CB1, CB2, CB3
CSDS: 100.0% - CB1, CB2, CB3
DeepRed: 50.0% - CB1, CB2, CB3

No submission

Eighth Place Team
Eleventh Place Team
Fifth Place Team - Finalist
First Place Team - Finalist
Fourth Place Team - Finalist
Ninth Place Team
Second Place Team - Finalist
Seventh Place Team - Finalist
Sixth Place Team - Finalist
Tenth Place Team
Third Place Team - Finalist
Thirteenth Place Team
Twelfth Place Team

All Submissions

Author Information

Lok Yan Lok.Yan@us.af.mil

DARPA performer group

AFRL

Description:

This is a simple HTTP-proxy like service. This is an IPC cb where the main CB acts as a router and all other CBs act as individual web-servers. The protocol is very simple with three possible commands:

HELLO I AM [name] : Used by the client to initiate a conenction with the router HELLO [name] YOUR UID IS [uid] HOW CAN I HELP YOU : Used by the router to acknowledge the client [uid] SAYS GET [url] PLEASE : Used by the client to retrieve a specific page. GOODBYE : Used by the client to close the link. GOODBYE is also echoed by the router. BAD CMD : Used by the router to report a parsing error to the client. SERVER NOT FOUND : Used by the router to report an invalid server

Vulnerability Class:

Classic format string vulnerability that falls under CWE-134: Uncontrolled Format String.

Additional Notes:

A python script - textIntoPageData.py is provided to generate the pages.data file that is included into the CBs. This acts as their internal page database