What is HACK@DAC?
HACK@DAC is a hardware security challenge contest, co-located with DAC, for finding and exploiting security-critical vulnerabilities in hardware and firmware. In this competition, participants compete to identify the security vulnerabilities, implement the related exploits, propose mitigation techniques or patches, and report them. The participants are encouraged to use any tools and techniques with a focus on theory, tooling, and automation.
The contest mimics real-world scenarios where security engineers have to find vulnerabilities in the given design. The vulnerabilities are diverse and range from data corruption to leaking sensitive information leading to compromise of the entire computing platform. The open-source SoC riddled with security vulnerabilities has been co-developed by Intel, the Technical University of Darmstadt, and Texas A&M University. HACK@DAC has been successfully running since 2018 with several hundred contestants from academia and industry.
The winners of the competition will be honored in person at the DAC award ceremony June 22-25, 2025 at Moscone West Center, San Francisco, Calif.
Why HACK@DAC?
The growing number of hardware design and implementation vulnerabilities has led to a new attack paradigm that casts a long shadow on decades of research on system security. It disrupts the traditional threat models that focus mainly on software-only vulnerabilities and often assume that the underlying hardware is behaving correctly and is trustworthy.
System-on-Chip (SoC) designers use a mix of third-party and in-house intellectual property (IP)cores. Any security-critical vulnerability in these IPs can undermine the trustworthiness of the whole SoC.
Attacks may cause a system failure or deadlock, remotely access sensitive information, or even gain privileged access to the system, bypassing the in-place security mechanisms.
Who Can Participate?
Participating teams can be from industry, academia, or a combination. They will receive an altered OpenTitan SoC design with planted security vulnerabilities. They must identify these vulnerabilities, assess their impact, provide exploits, and propose mitigation.
The teams can use any tool or technique and should provide a detailed report on their findings. The submitted bug reports will be evaluated based on a scoring system that considers the number and severity of security vulnerabilities, their exploitation, and the used security assurance automation methods and tools.
The competition unfolds in two phases, and we will handle the final phase during DAC 2025.
Participating teams can be from industry, academia, or a combination. They will receive an SoC design with planted security vulnerabilities. They must identify these vulnerabilities, assess their impact, provide exploits, and propose mitigation. The teams can use any tool or technique and should provide a detailed report on their findings. Only the selected teams from the first phase can participate in the final phase during DAC 2025.
Learn More and Register Your Team