All, FYI: DARPA and ARPA-H are running a research competition called the "AI Cyber Challenge" (AIxCC). Its goal is to create automated tools that find and *fix* vulnerabilities in software. General information is here: <https://aicyberchallenge.com/>
The AIxCC semifinal competition was last week at DEF CON 32 (2024). All competitors were given an identical set of Challenge Projects, which were real-world OSS projects seeded with synthetic vulnerabilities. The projects were Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika. There were 7 winners; each winner received $2 million US as a reward, and those teams will be allowed to compete in the finals at next year's DEF CON. An official summary is here: <https://www.darpa.mil/news-events/2024-08-11>. Some other interesting links related to the semifinals include: <https://blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/> <https://www.youtube.com/watch?v=sQKGWZvuLko> One of the competing teams, Team Atlanta, even found a real-world bug in SQLite3. This was reported to SQLite through their usual process; it's fixed in trunk. More info about that specifically is here: - <https://x.com/TeamAtlanta24/status/1822739301463130271> - <https://sqlite.org/forum/forumpost/81670d1056> The tools must be released by next year as open source software, with an OSI-approved license, as a condition for accepting prize money or competing in the final competition. Exact text is in the "Open-Source Requirement" section in its rules <https://aicyberchallenge.com/rules/>. The challenge problems were all based on real-world OSS, and the hope is that in the long term such tools can automatically find & fix vulnerabilities in all software including OSS. Full disclosure: I work for the Open Source Security Foundation (OpenSSF) and I have been working with DARPA & ARPA-H supporting this. That said, I thought others in this mailing list would want to know about it. No research is *guaranteed* to produce something leading to useful results, but I think this is a promising approach. We definitely could *use* tools that automatically find & fix vulnerabilities, if they're good enough!! --- David A. Wheeler
