Seven teams advanced to the finals after the DARPA AI Cyber Challenge (AIxCC) semifinal competition at DEF CON 32 last week. The teams were each awarded a $2 million prize and will participate in the final competition in August 2025.
A partnership between DARPA and the Advanced Research Projects Agency for Health (ARPA-H), the AIxCC competition had teams design artificial intelligence (AI) systems to secure open source infrastructure software that is used across the private and public sectors in areas like finance, utilities, and health care. These systems are vulnerable to cyberattacks because they have large attack surfaces and lack security tools at scale. Indeed, many have been recent targets, highlighting the urgent need to protect critical infrastructure.
For the competition, teams were asked to develop cyber reasoning systems that could find and fix vulnerabilities in a set of “challenge projects” that were designed by AIxCC experts. Nearly 40 teams submitted systems. The competitors’ systems discovered 22 unique synthetic vulnerabilities and patched 15 of them. The systems found 11 unique patches for C-based challenges and four for Java-based challenges. One real-world bug was found in SQLite3 and has been disclosed.
“In true DARPA fashion, we didn’t know if our hypothesis would be proven when we launched this program. Now we’ve seen that AI systems are capable of not only identifying but also patching vulnerabilities to safeguard the code that underpins critical infrastructure,” said Andrew Carney, program manager for AIxCC, in a statement.
The following teams will advance to the final:
-
all_you_need_is_a_fuzzing_brain
Teams have one year to develop their systems before next year’s final competition. AIxCC will distribute $29.5 million in prize money to the teams judged to create the most effective systems, and winners must release their systems as open source software after the competition.