This page tracks our progress in working towards full identification of the vulnerabilities found in DARPA's Cyber Grand Challenge dataset. A huge thank you to Trail of Bits for porting these challenge binaries from DECREE to Linux, macOS, and Windows!

If you want to test these queries, you have two options.

• Compile your own cb-multios binaries and analyze them with PM
• Use our compiled cb-multios binaries and our pre-analyzed data set

If you want to use our data. You can download the cb-multios binaries from this link (239 MB), and download analysis files from our open S3 directory.

If you use our data and your own binaries to verify queries, you'll likely encounter discrepancies if you used a different version of Clang to compile. So we suggest using your own analysis and binaries, or using both our analysis and our binaries.

The DARPA Cyber Grand Challenge (CGC) performers adhered to a very convenient format when documenting their challenge binaries (CB). Not only do they make it clear what the vulnerabilities are in the CBs, they tell you where they are, the challenges involved in automated discovery of these vulnerabilities, and any applicable CWEs.

CWEs are MITRE's Common Weakness Enumeration Check out of a Use After Free (UAF) vulnerability class at CWE-416. The GCG CB "FileSys" is an example of a CB with this vulnerability.

The list below is broken down into CWEs and any relevant DARPA Cyber Grand Challenge CBs. As we test new queries, we'll run them against all related CBs in the dataset and see which ones it finds, and which ones it doesn't. This will give us a sense of how well Paper Machete is doing against these binaries.

Performing false positive testing on the entire dataset is extremely important to us, but for the time being, we're focusing on writing the first pass of queries and tracking how well they do against problems they should work on.

The following sections list the CWEs, related CGC challenge binaries, the query that finds the vulnerability, and a link to the cb-multios ported challenge problem.

"The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow."

"A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function)."

"The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array."

"The software uses a function that accepts a format string as an argument, but the format string originates from an external source."

"The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer."