Cyber Grand Challenge

TECHx - Xandra Cyber Reasoning System

Jack Davidson on stage at the Paris, Las Vegas

The goal of DARPA’s Cyber Grand Challenge was to address the inadequacy of current network security systems, which require expert programmers to identify and repair system weaknesses. To help accelerate this transition, DARPA launched the Cyber Grand Challenge as a computer security tournament built around the use of automated Cyber Reasoning Systems in place of experts. The Challenge uses a “capture the flag” competition format that requires competitors to create a computer program that autonomously reverse engineers software created by the contest’s organizers, and then find and fix its hidden weaknesses. The winning team would take home $2M, second place would receive $1M, and third place would garner $750K.

The University of Virginia and Grammatech, Inc. team, called TechX, built Xandra. Xandra used binary analysis software developed at the University of Virginia to identify vulnerabilities and patch them. Grammatech provided the component of Xandra that demonstrated that a vulnerability existed. In the terminology of the competition, this demonstration was called a POV (proof of vulnerability).

The competition began in 2014 with 104 teams. Through a series of qualifying events that required teams to demonstrate technical excellence, the number of teams was narrowed to 28 for the main qualifying event held in June 2015. Seven teams advanced to the finals. They were:

  • University of Idaho (System Name: Jima)
  • University of California, Santa Barbara (System Name: Mechaphish)
  • University of California, Berkeley (System Name: Galactica)
  • Raytheon, Inc (System Name: Rubeus)
  • University of Virginia and Grammatech, Inc (System Name: Xandra)
  • ForAllSecure, Inc (Systen Name: Mayhem)
  • Disekt (System Name: Crspy)

In August 2016 at DEF CON 24, the seven teams faced off in a final contest. The winning team was AllForSecure. TechX (University of Virginia and Grammatech) finished second, and Mechaphish (University of California, Santa Barbara) finished third. The scoring breakdown was as follows.

System Defense Offense Availability
Mayhem #6 #6 #1
Xandra #1 #4 #2
Mechaphish #2 #1 #5
Rubeus #3 #3 #4
Galactica #4 #2 #6
Jima #7 #7 #3
Crspy #5 #5 #7
Jack W. Davidson
Jack W. Davidson
Professor of Computer Science

Jack Davidson is an ACM and IEEE Fellow. His research interests include compilers, programming languages, computer architecture, embedded systems, and computer security. His current research interests are focused on the areas of computer security, run-time management of applications running on multi-core systems, and computer science education.