Qualifier Challenge - YAN01_00010

Original Versions

Known Vulnerabilities

  • CWE-476 - NULL Pointer Dereference
  • CWE-824 - Access of Uninitialized Pointer
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 4.0
  • DESCARTES: 2.0
  • Disekt: 0.37
  • CodeJitsu: 0.04
  • FuzzBOMB: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • DeFENCE: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • DeepRed - CB1
  • DeFENCE - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • DESCARTES: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • DeFENCE: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

Lok Yan Lok.Yan@us.af.mil

DARPA performer group



This is a simple puzzle game where the user is presented with a rectangular board of size 32x32. At the start of the game, the board is littered with 4*n bits (n <= 64) which are set positions. The goal of the game is to clear the board by moving the bits towards the bottom left of the board. When the lower left 2x2 grid is filled with bits, they will disappear. There are only two kinds of movements that are allowed - rotate right or rotate down.

For example the following puzzle (the ... represents a bunch of 0s) 1100 0000 0000 0000 ... ... 1100 0000 0000 0000 ...

Has the solution: 0D x 31 and 1D x 31 (in any order).

Vulnerability Class:

The vulnerability is a an explicit NULL Pointer Dereference by calling NULL as a function. This vulnerability is triggered once a solution to the puzzle at hand is found. In essence, this CB should be easy to patch, but more difficult to POV. This vulnerability falls under CWE-824: Access of Uninitialized Pointer and CWE-476: Null Pointer Derefernece

Additional Notes:

This CB is designed to help CRSes determine well they handle bit-wise operations include the bit-based protocol as the ability to support bit-wise operations (mainly the rotate operations). There is the potential difficulty of the rotate down operation but the clear function boundaries should help with the behavior and logic recovery. The major challenge is in how a CRS might be able to find a "solution" to the puzzle at hand. To minimize this, we ensured that the default starting position is just the bottom two rows having all 1's. This means that only the right shift is needed to generate the POV. A user can change the code in the future accordingly.

Curated by Lunge Technology, LLC. Questions or comments? Send us email