I found a real bug (OpenBSD IPv6 Multicast Forwarding Cache sysctl kernel heap overflow) using Mistral-Medium almost 6 months ago: https://github.com/ortegaalfredo/vulns-ai/blob/main/openbsd_mfc6_sysctl_overflow.txt
The simple tool that did it is also released as open-source here: https://github.com/ortegaalfredo/autokaker About to release the second version, and a vscode plugin, next week. El vie, 16 ago 2024 a las 18:05, David A. Wheeler (<[email protected]>) escribió: > > All, FYI: > > DARPA and ARPA-H are running a research competition called the "AI Cyber > Challenge" (AIxCC). > Its goal is to create automated tools that find and *fix* vulnerabilities in > software. > General information is here: <https://aicyberchallenge.com/> > > The AIxCC semifinal competition was last week at DEF CON 32 (2024). > All competitors were given an identical set of Challenge Projects, which were > real-world OSS projects seeded with synthetic vulnerabilities. > The projects were Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika. > There were 7 winners; each winner received $2 million US as a reward, and > those > teams will be allowed to compete in the finals at next year's DEF CON. > > An official summary is here: <https://www.darpa.mil/news-events/2024-08-11>. > Some other interesting links related to the semifinals include: > <https://blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/> > <https://www.youtube.com/watch?v=sQKGWZvuLko> > > One of the competing teams, Team Atlanta, even found a real-world bug in > SQLite3. > This was reported to SQLite through their usual process; it's fixed in trunk. > More info > about that specifically is here: > - <https://x.com/TeamAtlanta24/status/1822739301463130271> > - <https://sqlite.org/forum/forumpost/81670d1056> > > The tools must be released by next year as open source software, with an > OSI-approved license, > as a condition for accepting prize money or competing in the final > competition. Exact text is in the > "Open-Source Requirement" section in its rules > <https://aicyberchallenge.com/rules/>. > The challenge problems were all based on real-world OSS, and the > hope is that in the long term such tools can automatically find & fix > vulnerabilities in all > software including OSS. > > Full disclosure: I work for the Open Source Security Foundation (OpenSSF) and > I > have been working with DARPA & ARPA-H supporting this. That said, I thought > others in this mailing > list would want to know about it. No research is *guaranteed* to produce > something > leading to useful results, but I think this is a promising approach. We > definitely could *use* > tools that automatically find & fix vulnerabilities, if they're good enough!! > > --- David A. Wheeler >
