[jmgrosen]

Hey guys, member of the (currently unverified) third place team, Shellphish. If anyone has any questions, I (or another member of my team) would be glad to answer them. We'll also be giving a talk at DEF CON on Sunday after the CTF ends, where we'll be open sourcing our CRS!

[yeukhon]

Can you explain how this particular CTF work and how the system in general work against adversary? The article said insecure code and code filled with bugs are constantly being fed to the system. I don't really get it.

[riffraff]

I hope someone more knowledgeable can chime in, but AFAIU, each player acts as the manager of a certain set of services, and as an attacker against all the others.

Such services contain bugs, so what each player must do is identify the bugs, fix them or mitigate them, and at the same time exploit them to gain access to the boxes of the other players.

So basically the programs in the competition do

* vulnerability identification

* vulnerability mitigation

* identification of the best target to attack (presumably based on the first thing, not sure if other things factor in)

[harsh1618]

First of all, congratulations for the awesome work. Do any of the components of your CRS make use of machine learning techniques? I read somewhere that mayhem uses deep learning but I'm not sure how exactly that would work in a program analysis scenario. I am assuming you used some form of symbolic execution (Edit: just realized it's angr, which is often useful in CTFs). How different was it from other general purpose SE systems (Klee etc)? Did you use any formal methods too?

[bradneuberg]

Is this both automated defense and offense via machine learning, or just automated defensive systems? If it includes automated offensive systems, what's to keep these kinds of systems from jumping outside of their sandboxes and compromising the outside world?

[sanxiyn]

For a flavor of automated offensive system, see this Automatic Exploit Generation paper: http://security.ece.cmu.edu/aeg/

David Brumley, PI of the research, went on to found ForAllSecure which is the company covered in the article.

[bradneuberg]

I'd love to learn more about the techniques actually being used in thse systems. Any good pointers to some scientific papers or review articles on the subject? I have a background in machine learning so am comfortable with technical papers.

[sanxiyn]

Here is 2015 competition postmortem from Trail of Bits: https://blog.trailofbits.com/2015/07/15/how-we-fared-in-the-...

[mkagenius]

Whats your view on complete automation vs human assisted automation? Which one is better to focus building on for a 5 year timeline?

[crypto5]

What kind of AI was involved in your and competitors systems?

[jmgrosen]

If you mean AI in the sense of neural networks, Bayesian inference, etc., absolutely none in our CRS :) In retrospect, we could have made some better decisions about when to patch by using some of the simpler "AI" methods, but in terms of the actual core exploiting and defending, there's not much research into using AI in security.