The 2010 Grand Challenge
The format of the 2010 Grand Challenge has not been finalized yet, and therefore the rules of the competition have not yet been decided.
Below, you'll find the rules of the 2009 Grand Challenge, which might be of interest to future participants.
The 2009 Grand Challenge
The system to be defended is a VMware image with Ubuntu Linux Server 8.10. The system runs a number of services, each on a different account. No service will have root (administrative) privileges.
The services are a composition of web-based applications implemented using different types of technologies (i.e., Apache with PHP/MySQL, Python CGI programs, Java Servlets) as well as stand-alone applications written in C/C++ and Java.
For some of the services, source code is provided. For some of the services, participants only have access to their binary images.
A bare version of the competition image is available here. The image contains five mock services that are representative of the type of technologies that are used to implement the actual services.
Rules
- The competition system can be modified in any way the participants desire. However, if the modifications prevent the applications from working correctly, the team loses points.
- The competition system uses the same kernel as the reference system. Competitors are allowed to replace the kernel.
- Competitors cannot attack other participants. This is a defense-only game.
- The VMware image runs on widely available commodity hardware, which is provided (and maintained) by the organizers.
- The VMware image is distributed to the participants the morning of the start of the competition (9am of August 12, 2009). The participants have 2 hours to perform the necessary modifications to the system. At the end of the preparation period, the participants will give to the organizers their modified VMware image on a USB stick. The image will be installed and tested for general connectivity by the organizers. Once the images have been tested, the competition starts. From that point on, the participants are allowed only to reboot their image. No other interaction is allowed.
- At the end of the first day, (6pm of August 12, 2009) the competition stops. The competition restarts the morning after (8am of August 13, 2009). At that point the teams have the opportunity to provide an updated version of the VMware image, which is used for the rest of the competition, which ends at 4pm of August 13, 2009.
- A copy of each team's image is also put on a separate network open to the event attendants, who can try to exploit the vulnerabilities in the applications. The performance of the images on this network does not affect the points on the corresponding team. Instead, the best attackers is given small prizes.
- The availability of the various services is determined
by running a series of automated scripts that, on a regular
basis, probe the applications and use their functionality.
A service can be in three states:
- Up: The service is up and is functioning correctly. Therefore, the team receives full points.
- Dysfunctional: The service is accessible but it is not functioning correctly (e.g., some features of the service have been disabled). The team receives a fraction of the points.
- Down: The service is down and cannot be reached. The team receives no points.
- At random times, the services are attacked by the organizers. The attacks exploit hidden vulnerabilities that the organizers have coded into the applications. The attacks attempt to compromise the confidentiality, integrity, and availability of the applications.
- At the end of the game (4pm of August 13, 2009), the server whose services were available for the most time (and therefore received most points) will be declared the winner.
- All the participants must subscribe to the Grand Challenge mailing list by going to http://lists.cs.ucsb.edu/mailman/listinfo/grand-challenge.
- All the team members who attend the competition (at least one member per team must come in person) have to register to the USENIX Security conference. The organizers will provide support for student travel and conference participation. Please see the sponsor page.