English

Build It, Break It, Fix It: Contesting Secure Development

Cryptography and Security 2019-07-04 v1

Abstract

Typical security contests focus on breaking or mitigating the impact of buggy systems. We present the Build-it, Break-it, Fix-it (BIBIFI) contest, which aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams' submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended; teams can use any language, tool, process, etc. that they like. As such, contest outcomes shed light on factors that correlate with successfully building secure software and breaking insecure software. We ran three contests involving a total of 156 teams and three different programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in a statically-type safe language were 11 times less likely to have a security flaw than C/C++ submissions. Break-it teams that were also successful build-it teams were significantly better at finding security bugs.

Keywords

Cite

@article{arxiv.1907.01679,
  title  = {Build It, Break It, Fix It: Contesting Secure Development},
  author = {James Parker and Michael Hicks and Andrew Ruef and Michelle L. Mazurek and Dave Levin and Daniel Votipka and Piotr Mardziel and Kelsey R. Fulton},
  journal= {arXiv preprint arXiv:1907.01679},
  year   = {2019}
}

Comments

35pgs. Extension of arXiv:1606.01881 which was a conference paper previously published in CCS 2016. This is a journal version submitted to TOPS

R2 v1 2026-06-23T10:10:36.536Z