Build It, Break It, Fix It: Contesting Secure Development.
Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle Mazurek, Piotr Mardziel.
In Proceedings of the ACM Conference on Computer and Communications Security (CCS). October 2016.

Topics: secure coding contest

Andrew Ruef
Michael Hicks
James Parker
Dave Levin
Michelle Mazurek
Piotr Mardziel

[ pdf ]

Typical security contests focus on breaking or mitigating the impact of buggy systems. We present the Build-it, Break-it, Fix-it (BIBIFI) contest, which aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams' submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended-teams can use any language, tool, process, etc. that they like. As such, contest outcomes shed light on factors that correlate with successfully building secure software and breaking insecure software. During 2015, we ran three contests involving a total of 116 teams and two different programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in other statically-typed languages were less likely to have a security flaw; build-it teams with diverse programming-language knowledge also produced more secure code. Shorter programs correlated with better scores. Break-it teams that were also successful build-it teams were significantly better at finding security bugs.
  author = {Andrew Ruef and Michael Hicks and James Parker and Dave Levin and Michelle Mazurek and Piotr Mardziel},
  title = {Build It, Break It, Fix It: Contesting Secure Development},
  booktitle = {Proceedings of the ACM Conference on Computer and Communications Security (CCS)},
  year = {2016},
  month = {October},