The semifinal competition of the Defense Advanced Research Projects Agency’s (DARPA) AI Cybersecurity Challenge (AIxCC) took place at this year’s DEF CON.
AIxCC, in collaboration with the Advanced Research Projects Agency for Health (ARPA-H), asked competitors to design novel AI systems to secure the open-source software that undergirds everything from financial systems to public utilities and the health care ecosystem.
DARPA first announced AIxCC ahead of last year’s DEF CON, noting that the two-year competition will yield $18.5 million in prizes to “drive the creation of new technologies to rapidly improve the security of computer code, one of cybersecurity’s most pressing challenges.”
During the AIxCC, teams aimed to develop “cyber reasoning systems” capable of automatically processing a set of “challenge projects” with the goal of finding and fixing vulnerabilities.
According to DARPA, AIxCC received nearly 40 cyber reasoning systems and tested each against an identical corpus of challenge projects that had a basis in a real-world, open-source project that is critical to industry, national security, and the public: Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika. The challenge projects contained synthetic vulnerabilities for teams’ systems to identify and attempt to patch.
In total, competitors’ systems discovered 22 unique synthetic vulnerabilities in the challenge projects, and of those, patched 15. Competitors’ systems also found one real-world bug in SQLite3.
“In true DARPA fashion, we didn’t know if our hypothesis would be proven when we launched this program. Now, we’ve seen that AI systems are capable of not only identifying but also patching vulnerabilities to safeguard the code that underpins critical infrastructure,” said Andrew Carney, program manager for AIxCC. “We saw vulnerability discoveries in every Challenge Project – across vulnerability classes – and successful patches in four out of the five Challenge Projects. What the competitors achieved on a condensed timeline and amidst a multitude of complexities is nothing short of remarkable.”
The top seven scoring teams that will be awarded $2 million each and advance to the final competition are: 42-b3yond-6ug; all_you_need_is_a_fuzzing_brain; Lacrosse; Shellphish; Team Atlanta; Theori; and Trail of Bits.
Finalist teams have one year to mature their technology before the AIxCC final competition in August 2025.