John Hammond Interviews DARPA's Andrew Carney on AI Cyber Challenge

In this video, John Hammond interviews Andrew Carney, Program Manager at the Defense Advanced Research Projects Agency (DARPA), about the AI Cyber Challenge (AICC or AIXCC). This two-year competition combines top talent in vulnerability research and software security with emerging artificial intelligence (AI) technologies, including large language models (LLMs), to enhance the detection and correction of vulnerabilities in open-source software used in critical infrastructures. Andrew Carney explains that the AICC aims to bridge the gap between the ability to detect vulnerabilities and the ability to fix them. The competition is structured in several phases, with a qualification phase where 90 teams from around the world created systems capable of reasoning about software, finding vulnerabilities, and creating patches. For the final, the seven finalist teams will have the opportunity to use custom models and openweight models, offering greater technological flexibility. One notable success of the competition was the discovery by a team of a non-synthetic vulnerability in SQLite, a widely used software. This discovery was particularly exciting because it was integrated into the main version of SQLite, demonstrating the real impact of the competition. Carney emphasizes the importance of securing open-source software, often used in critical infrastructures, and ensuring that even lesser-known libraries and packages are secure. The AICC competition will take place at Defcon this year, where the finalist teams will have access to additional resources and time to tackle the challenges. The results and solutions of the winning teams will be made public, allowing the community to benefit from their discoveries. Carney also mentions that the teams will need to use a telemetry API to expose the internal mechanisms of their cyber reasoning systems, providing a better understanding of their processes. For those who want to learn more or get involved, Carney recommends following the unmarked exposure events leading up to the final event, as well as participating in the RSA at the end of April. He also encourages security practitioners to familiarize themselves with AI technologies and explore how they can be integrated into their current practices. In conclusion, the AICC competition represents a promising initiative to improve the security of open-source software used in critical infrastructures. By combining advances in AI with expertise in software security, DARPA hopes to create safer and more resilient systems. For more details, you can watch the full video at the following address: https://www.youtube.com/watch?v=8W_VpO5V51A