
DARPA Cyber Grand Challenge - bra-ket
http://cybergrandchallenge.com/
======
fapjacks
Jesus. This site hurts to use. What's with the UI pigeonholing?

~~~
tim333
Plus it was using about 30% CPU for the one page.

------
bahador
Please let's all agree that scroll-jacking must die.

------
jmgrosen
I'm on a team that will be participating in the upcoming qualifier for the
finals. I'd be happy to answer any questions about the challenge (that I know
the answers to), though not any about our specific techniques ;)

~~~
plantbased
For the love of god give us all the TL;DR, the site is awful.

------
schoen
This is a neat idea, nicely presented. The proposal appeals to a wide audience
by explaining the defensive significance of the tools it asks participants to
develop. Is there any reason to think that people who were directly or
indirectly involved in proposing this challenging are also interested in
offensive applications, and chose not to talk about them?

~~~
avoutthere
> nicely presented

I couldn't disagree more.

~~~
schoen
Sorry, I didn't actually go through the entire scrolling graphics thing, I
just read the explanation of the idea. I'll agree that that part didn't add to
my understanding and I didn't intend to praise it.

------
frik
TL;DR: It's about the "Internet of Things"

It's a buzzword with an vision that can have a positive but also a negative
outcome for our society.

For example: The nest thermostat learns your behavior and selects your
favorite temperature depending the day of time, the ambient light, ... it
learns with you - and actually helps to save you energy. The opposite is a
"smart meter" forced on you by new regulations that isn't smart at all and
doesn't help you to save energy but sends your power usage data (your private
life data) in regular intervals over the net to the usual data collectors.

Another example: All Ford automobiles that come with the Sync board computer
(2008-2015, Windows CE based) can be optionally set to do the following in the
event of a crash (at the time when the airbags go off): use your phone
connected via Bluetooth, set a call to the international emergency hotline,
speak via the Nuance Text-To-Speech software an emergency text including your
current position (car have an inbuilt GPS antenna) and open the microphone so
that you can talk with the emergency hotline or at least they can hear the
audio if you are unable to speak. On the otherside, some lobbies try to
propose in the US/EU a new law where every car has to share its location and
some other "metadata" in a short interval (as soon as you turn on your motor)
to a central data collector - so that in the event of an accident they know
where you are, as they say.

Decide yourself which version of the "Internet of Things" vision you want to
have in your everyday life.

~~~
darkmighty
The nest thermostat is a completely different device from an utility smart
meter.

For example, I can see smart meters helping provide real time data _to the
utility_ about power usage. Utilities are engaged in an enormous task of
forescating power demand, which is probably much harder than weather
forecasting even (as that is a subtask of demand forecasting!) -- and can net
huge savings for the companies; or allowing more fair pricing schemes that
discourage usage in times of high demand; etc. That's a real benefit for
society.

I don't think there's a need to put a tin foil hat and demand that all
personally identifiable information collection be ceased. We instead just have
to make sure this info is getting used properly (within the designated scope)
with according security for each problem. In other words: scrutiny, not
celibacy.

~~~
frik
> completely different device

You can twist it how you like but it doesn't make a difference - it's a device
that the PR suggests that it helps you save energy and costs. One device
(Nest) lives up the dream and is great, the other (smart meters) is the
opposite - but it could be a great device too if it would live up the original
PR vision.

> enormous task of forescating power demand

Not really, the electrical power transformer stations that are physically
located near your home already communicate about the power demand habits to
the central power grid network. There is no technical reason to track every
single house hold every 15min or every hour.

> provide real time data to the utility

Do you believe it's great that a washing machine is running during the night
to save costs for the power company (and maybe you) but keeps you and your
neighbors awake and you have to deal with wrinkled laundry in the morning?

One can save energy at home, but the biggest power consumers at home are
devices that are used at specific times - and that time cannot be deferred to
the night - except one wants to be the slave of his own devices. On the other
side a lot of energy could be saved in industrial production by optimizing
processes.

Next time one buys a device check the energy rating - but be smart and
cautious as some very energy efficient rated devices like new electric kettles
and vacuum cleaners consume less power by using less Watt which means
physically it takes longer to boil the water or the vacuum cleaner is less
efficient as the engine is less powerful and it takes longer to clean your
home.

Far better for the environment is to install photovoltaic panels near your
home yourself. Especially then an electric car makes a lot of sense.

~~~
IanCal
> it's a device that the PR suggests that it helps you save energy and costs.

I think being able to see your usage broken down to more than one reading per
quarter can definitely help. You can then change your behaviour and see the
improvements very quickly. One product many of the companies hand out with
smart meters is something that sits there and tells you how much you're using
_right now_. I can easily see that making people realise just how much they're
using while not realising it, and turning some things off.

> but be smart and cautious as some very energy efficient rated devices like
> new electric kettles and vacuum cleaners consume less power by using less
> Watt which means physically it takes longer to boil the water or the vacuum
> cleaner is less efficient as the engine is less powerful and it takes longer
> to clean your home.

While you do need to check, you can definitely get lower powered kettles and
vacuums (particularly the latter) that are as good or better. The EU has come
around to regulating vacuums because many were just putting uselessly big
motors in that did nothing really helpful for actually cleaning, but used
loads of energy since people see a higher power and think it's automatically a
better vacuum.

------
nickpsecurity
Will be interesting but a distraction from real INFOSEC work. DARPA and NSF
have been leading the way with programs investing in real security. All kinds
of results from SAFE processor to CHERI capability architecture to self-
diversifying systems to inherently secure programming have come from this.
Their HACMS work, for example, was even integrated into a UAV software.

It's that sort of work that's really delivering and needs more support. Smart
people at institutions with good grant writers should stay watching all the
DARPA and NSF security funding announcements. Plenty of money going around to
solve fundamental problems. Great results so far that just need more
development and adoption. And more bright men and women in the trenches
fighting the rest of the hard problems.

~~~
minthd
I wonder , are those technologies scalable to micro-controllers ? because
there the problem of backward compatibility is significantly reduces - as long
as you supply a tcp/ip stack and an efficient compiler, the rest of the code
is relatively easy , in many cases.

~~~
nickpsecurity
Yes, actually. Heck, the very limited PDP-1 was a capability machine of sorts.
Most microcontrollers run circles around it. The simplest of the new schemes
check small tags with hardware that runs in parallel to the processor.
Essentially, the processor executes the instruction and the result is not
written unless parallel unit says "All good." This should have little
performance, latency, and chip area overhead. I'm not saying every
microcontroller of every cost and such can be done this way: probably just
mid- to high-end microcontrollers will be secure by design.

Also, there's long been chips design to run languages that are type- or
memory-safe by design. Sandia Labs recently made a high assurance processor
for a Java subset: the Sandia Secure Processor (SSP) or "Score" processor. It
doesn't allow new code in production mode, resists all kinds of errors, has
assured tool sets, has a converter from legacy Java to its, speaks JVM
natively with associated benefits, uses asynchronous interrupts for
determinism, and is fabbed in a rad-hard process. They aimed at safety &
assurance over throughput so the specs are 25Mhz from 35,000 logic gates (110K
with memory). Their ASSET framework and its high assurance design also led to
amazing feet of 3 weeks from synthesis to working ASIC with no timing errors.
They said similar projects normally take 6 to 18 months (!!!).

In closing, the above is evidence embedded can benefit. Yet, two in embedded
just popped into my mind: CodeSEAL and smartcards. CodeSEAL combines custom
hardware with a processor to (a) encrypt and hash memory pages to stop leaks
or attacks outside SOC; (b) control flow whitelist produced by compiler to
block all attempts to hijack it. MicroSEMI sells this commercially. Other one
is smartcards: microcontrollers with strongly assured hardware, firmware,
VM's, and so on for small prices. I should've thought of them first because
they kind of answer the whole question, don't they?

Guess it doesn't hurt to spread more info on high assurance security tech. ;)

~~~
minthd
Thanks! Very interesting, especially the sandia rapid development tool.Could
be really useful in creating low-cost mcu's.

I've looked through a few of the examples, and they are useful, but they
require a different toolset from what real-time engineers use(JVM/CodeSEAL),
and you probably need to certify your code in order to get eal6+ for your
system. All those are big barriers for penetration, which probably creates
less incentive for mcu companies to develop eal6+ mcu's with rich peripherials
which will appeal to the market.

Do you see a way out of this ? maybe using rust(or some other language), an
eal6+ certified RTOS and an eal6+ mcu , would enable people creating secure
real-time systems without need of certification?

~~~
nickpsecurity
The toolset differences are a _huge_ barrier to market penetration. It's why
technically superior, but architecturally different, products of the past were
ignored to our loss. Itanium, with its advanced security, is a recent example.
Not all are like that, though. There are a number that just protect pointers,
do segments, do address space protection (see INTEGRITY-178B), or vary the
granularity of the protection for legacy compatibility. These tend to support
a modified UNIX/Linux kernel and/or GCC modifications. Things are otherwise
the same. So, there's potential in those.

I found the following looking into embedded use and what works with similar
tools. This tagging scheme [1] integrates with RTEMS and C albeit with more
complexity than some. The guarded pointers [2] from mid-90's probably would
work well with microcontrollers given embedded code is often fairly static,
esp safety-critical schemes. The critiques shouldn't apply as much except cost
of extra bits. The SAFE architecture's PUMP [3] does arbitrary policies with
costs that _might_ put it outside of microcontroller range (high end? mid-
range?). One can even use the old Burrough's model where 2 tags bits per word
are used to ID pointers and code. Writes to either generate an interrupt for
security system to approve based on context. Again, embedded is static enough
that there should be no such interrupts in normal operation if pointer-
arithmetic is avoided, right?

Feel free to give your thoughts on these in terms of microcontrollers or low-
cost microprocessors.

[1]
[http://www.uidaho.edu/~/media/Files/orgs/ENGR/Research/CSDS/...](http://www.uidaho.edu/~/media/Files/orgs/ENGR/Research/CSDS/2014/A%20New%20Operating%20System%20for%20Security%20Tagged%20Architecture%20Hardware%20in%20Support%20of%20Multiple%20Independent%20Levels%20of%20Security%202014.ashx)

[2]
[https://www.cs.utexas.edu/users/skeckler/pubs/asplos94.pdf](https://www.cs.utexas.edu/users/skeckler/pubs/asplos94.pdf)

[3] [http://www.crash-safe.org/assets/PUMP-ASPLOS-2015.pdf](http://www.crash-
safe.org/assets/PUMP-ASPLOS-2015.pdf)

~~~
minthd
Thanks.

The guarded pointers look great , and both them and the Burrough model could
work well for micro-controllers, and suffer a relatively small penatly. The
SAFE-PUMP would probably need a relatively new manufacturing process to make
economical sense for medium-end microcontroller or would be fitting for a
high-end microcontroller.

>> Again, embedded is static enough that there should be no such interrupts in
normal operation if pointer-arithmetic is avoided, right?

I think when calling a function and pushing stuff into the stack ,you'll need
such interrupts, and maybe in other situations.I'm no sure though, i'm just an
hobbyist in embedded, but pretty interested in the industry - and the tension
between the fact that everybody says internet-of-things-security is a big
issue with no solution and on the other hand ,the availability highly secure
research and working systems.

Anyway, thanks again for your help!

------
facepalm
I suppose the challenge is to read through the site and successfully extract
it's meaning?

~~~
nickpsecurity
Lmao. My initial reaction exactly. DARPA's writers are usually better than
this if it's something open to the public. Other times, they do it on purpose.
Maybe they got mixed up on which style to use.

------
fapjacks
Or, less formally, the "Build An Internet That Pwns Itself For The Government"
contest.

~~~
colinthompson
Where would silicon valley, and the world in general, be without DARPA? Not
that I am trying to support any big brother agenda, but it's hard to deny that
your smartphone and computer owe at least some part of their existence to
efforts on the part of the US defense budget. Again, I am not trying to take
sides, I just find it shortsighted to cast a disapproving eye on government
projects....or at least funding.

~~~
nickpsecurity
Just agreeing here on the part about DARPA. It's possible, though, that you
have no idea just how much DARPA was involved. Despite my research, I just now
stumbled onto the Strategic Computing Initiative which shows most of the
coolest stuff I studied was all tied to DARPA. Most people haven't heard of it
despite it being much more useful than the other Strategic Initiative they
know about. Link below for your enjoyment.

[http://monoskop.org/images/d/d4/Roland_Alex_Shiman_Philip_St...](http://monoskop.org/images/d/d4/Roland_Alex_Shiman_Philip_Strategic_Computing_DARPA_and_the_Quest_for_Machine_Intelligence_1983-1993.pdf)

------
daveloyall
> The Skynet Funding Bill is passed. The system goes on-line August 4th, 1997.
> Human decisions are removed from strategic defense. Skynet begins to learn
> at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August
> 29th. In a panic, they try to pull the plug.

