Bots chase down the bugs in Cyber Grand Challenge

Research teams took a big step toward fixing software flaws at the speed of machines last weekend during the Defense Advanced Research Projects Agency’s Cyber Grand Challenge, held in Las Vegas in conjunction with the DEF CON Hacking Conference.

The challenge, known as CGC, was billed as the first “all-machine” hacking tournament, with the goal of using automation to seek out and fix bugs in an increasingly connected world, particularly one involving the Internet of Things.

Taking home the top prize of $2 million was a machine called Mayhem, developed by ForAllSecure of Pittsburgh, a startup founded by researchers from Carnegie Mellon University. Second place and $1 million went to Xandra, developed by TECHx, a venture by Gramma tech Inc. and the University of Virginia. And the $750,000 third prize was won by Mechanical Phish, developed by Shellphish, a group of computer science graduate students at the University of California, Santa Barbara. Seven teams in all were invited to the tournament.

The eight-hour competition took place over 96 rounds of Capture the Flag, a regular feature in hacking tournaments, on a computer testbed loaded with bugs hidden of software that had never before been analyzed, according to a Defense Department release.

Finding and patching software flaws is still largely a manual process, which DARPA has said is problematic as more and more devices get connected to the Internet. Bugs and/or malware can hide out for months before being discovered—DARPA notes that the Heartbleed bug went unnoticed for two and a half years before being discovered. The goal of the CGC is to create automated systems that can find and patch vulnerable code in a matter of seconds.

 “DARPA was created nearly 60 years ago to prevent technological surprise, and I can think of no better way of doing that in today’s networked world than by developing automated, scalable systems able to find and fix software vulnerabilities at machine speed,” DARPA Director Arati Prabhakar said at the conference. “Our goal in cyber is to break past the reactive patch cycle we're living in today, and unleash the positive power and creative potential of the information revolution.”

“I am amazed at the speed with which the machines responded to the use of bugs in software they had never seen before and fielded patches in response,” said Mike Walker, CGC program manager. “All of this data will now be openly shared to help ensure the promise of this automation is achieved.”

While the CGC showed promise for the future of automated software fixes, there is still a long way to go. One of the Mayhem team’s rewards for winning was an invitation to DEF CON’s Capture the Flag tournament, which features many of the best security experts. “I don’t expect Mayhem to finish well,” Walker said. “This competition is played by masters and this is their home turf. Any finish for the machine save last place would be shocking.” He proved to be right, as Mayhem finished last among 15 contestants, TechCrunch reported.

But DARPA’s challenges, such as last year’s Robotics Challenge, aren’t about finding a final answer as much as they are getting the ball rolling toward new technology.

“This first step is about lighting a spark, igniting an automation revolution, and watching the technology that will follow Mayhem in the years to come,” Walker said. “Automation may someday overcome the structural advantages of network offense and give the defense a chance at a fair fight. It can’t happen fast enough.”