Automated Vulnerability Research

Design Challenge

- Now open for registration until 2nd of March -

When: MARCH – JUNE 2022

Players: Student teams from Dutch Academic Universities, Dutch Universities of

Applied Sciences or other interested Dutch organization

Rewards: 1st place 500 EUR, 2nd place 250 EUR, 3rd place 100 EUR

For info: AVR Challenge website (https://avrchallenge.gitlab.io)

To register: AVR Challenge registration form (https://forms.gle/u3Atmig4wAzXb2yw7)

Organizers: Contacts at each organization (https://avrchallenge.gitlab.io/AVR-Contacts.html)

The Challenge

Inspired by the DARPA Cyber Grand Challenge, as a team (max 4 students) you are challenged to

design and build, or improve a system for automated discovery of security vulnerabilities.

You will be provided with a docker-compose file, using Ubuntu version 20.04 as a base image; a

test set of target programs; and a Makefile to automatically build/run the test environment. You will

also be provided with links to educational material and the opportunity to meet experts in the field.

Your team is tasked to submit:

Round 1 (March 31st): the source code of your vulnerability finder (for example fuzzer or

symbolic execution), able to perform in a 8 GB RAM environment on the

test set of target binaries.

Round 2 (April 30th): the source code of 5 new and realistic programs written in C/C++ using

only stdin, stdout and stderr. Each program should contain 2

vulnerabilities, which can be triggered without crypto or checksum, and

are compiled without stack canaries.

Round 3 (May 31st): your improved vulnerability finder and a report (PDF, max 8 pages)

describing your design choices.

Your submissions will be reviewed and scored cumulatively by an expert committee. Scoring will

be based on how well and quickly your program is able to identify unique vulnerabilities in the

programs submitted by the other teams. Points can also be obtained by submitting programs

containing difficult to find vulnerabilities. Assignment description and detailed competition rules

will be here published shortly.

The winning teams will be announced by the end of June 2022.

Submitted code and datasets will be made publicly available after the event.