Hacker-bots are real—as demonstrated by Mayhem, a completely automated platform that made off with the first-place prize in the US military’s auto-hacking contest, the Cyber Grand Challenge (CGC).
Mayhem was created by a Pittsburgh-based team known as ForAllSecure—one of seven teams that competed for nearly $4 million in prizes in the DARPA-sponsored competition, performed at Blackhat 2016. First place in the CGC carries a cash award of $2 million.
Xandra, a computer system designed by team TECHx of Ithaca, N.Y., and Charlottesville, Va., was declared the second-place winner; and Mechanical Phish, a system designed by team Shellphish of Santa Barbara, Calif., was named the third-place winner. The second- and third-place teams will receive $1 million and $750,000, respectively.
Mayhem has been invited to participate in this year’s DEF CON Capture the Flag competition, marking the first time a machine will be allowed to play in that historically all-human tournament.
“I’m enormously gratified that we achieved CGC’s primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defense is indeed possible,” said Mike Walker, the DARPA program manager who launched the challenge in 2013. “The effort by the teams, the DARPA leadership and staff, and all the hundreds of people who helped make this unique, open-to-the-public test happen was enormous. I’m confident it will speed the day when networked attackers no longer have the inherent advantage they enjoy today.”
DARPA’s CGC was designed to accelerate the development of advanced, autonomous systems that can detect, evaluate and patch software vulnerabilities before adversaries have a chance to exploit them.
The need for automated, scalable, machine-speed vulnerability detection and patching is large and growing fast as more and more systems—from household appliances to major military platforms—get connected to and become dependent upon the internet. Today, the process of finding and countering bugs, hacks and other cyber infection vectors is still effectively artisanal. Professional bug hunters, security coders, and other security pros work tremendous hours, searching millions of lines of code to find and fix vulnerabilities that could be taken advantage of by users with ulterior motives.
The DARPA event was the first head-to-head competition among developers of some of the most sophisticated automated bug-hunting systems ever developed. For almost 10 hours, competitors played the classic cybersecurity exercise of Capture the Flag in a specially created computer testbed laden with an array of bugs hidden inside custom, never-before-analyzed software. The machines were challenged to find and patch within seconds—not the usual months—flawed code that was vulnerable to being hacked, and find their opponents’ weaknesses before the defending systems did. The entire event was visualized for attendees on giant monitors and livestreamed for remote viewers, with expert “sportscasters” documenting the historic competition.
“This may be the end of DARPA’s Cyber Grand Challenge but it’s just the beginning of a revolution in software security,” Walker said. “In the same way that the Wright brothers’ first flight—although it didn’t go very far—launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense. That is a huge advance compared to where the cyber defense world was yesterday.”
Photo © alphaspirit