LAS VEGAS, Aug. 6, 2016 —
Three teams earned prize money in the Defense Advanced Research Projects Agency’s Cyber Grand Challenge here yesterday, but all seven finalists received awards for their substantial contributions to creating the world’s first autonomous bug-hunting machines.
After three years of research and development, the teams, some with members from all over the world, cut the cords with their machines Aug. 4 and -- the air gap between them complete -- the cyber reasoning bots were on their own for the world’s first all-machine hacking tournament.
Amongst themselves the bots played capture the flag, a game usually played intensely by human hackers to find, diagnose and fix software flaws in real time in a simulated adversarial environment.
In just over 8 hours of computation and 96 rounds of about 270 seconds each, the machines authored 421 replacement binaries, or new native code, that was more secure than the original. They also authored 650 unique proofs of vulnerability, or attempts to navigate the maze of inputs accepted by the software, and proved the software under analysis was vulnerable.
Redefining What’s Possible
“Tonight, completely autonomous systems played in an expert contest. In 2013 no such system existed and tonight seven of them played at a very high level,” DARPA CGC Program Manager Mike Walker said at a press briefing immediately after the challenge.
“There's a saying in the hacker community that ‘zero day can happen to anybody.’ What that means is that unknown flaws in software are a universal lock-pick for intruders,” he said.
“Tonight we showed that machines can exist that can detect those lock-picks and respond immediately,” Walker added. “We have redefined what is possible and we did it in the course of hours with autonomous systems that we challenged the world to build.”
The first place team, to receive a cash prize of $2 million, was ForAllSecure from Pittsburgh, a company founded by David Brumley, Thanassis Avgerinos and Alex Rebert. The company, whose bot is called Mayhem, has grown to nine employees in Pittsburgh and the San Francisco Bay area. They say their technology is the result of more than a decade of program analysis research at Carnegie Mellon University.
Xandra, bot designed by team TECHx of Ithaca, New York, and Charlottesville, Virginia, is the second-place winner and will receive $1 million. And Mechanical Phish, a bot designed by team Shellphish of Santa Barbara, California, will receive $750,000 as third place winner.
Shall We Play A Game?
The CGC was co-located this year with DEF CON, the world’s largest hacker convention. Walker, himself a member of the hacker community and a respected capture the flag player, spoke last year at DEF CON about the future all-machine capture-the-flag competition.
After Walker’s remarks, a DEF CON audience member challenged the CGC winner to play with the human experts at DEF CON’s 2016 capture the flag. Walker agreed to take the challenge to the finalists.
At the ceremony yesterday, after all the teams had received their awards, Walker invited the captain of the Legitimate Business Syndicate up to the stage.
“I just have one question for Mayhem,” he said. “Shall we play a game?”
It was the same question the War Operation Plan Response computer asked Mathew Broderick’s character, a young hacker, in the 1983 movie “War Games.”
On the stage in Las Vegas, ForAllSecure co-founder Rebert moved to the mic. “It’s on,” he said.
The multi-day challenge is now in progress, the first time a machine has had a seat at the table of a capture the flag hacking event, and the results will be in Aug. 7.
“We have no expectation that [Mayhem] is going to be able to compete with experts,” Walker said. “It would be a bit like entering one of the first chess playing machines into a high-level chess tournament.”
But, he said, “We are interested in what it will do in the first five minutes, in one of those places that only computers can go -- high-speed reaction time. And hopefully it puts a good first foot forward for autonomy.”
On The Horizon
Challenges like CGC aren’t the right solution to every problem, Walker said, but they work when a technology is on the horizon, on the edge of feasibility, and needs integration among several cutting-edge technologies into a single prototype.
“With self-driving cars I think you saw LIDAR, computer vision, machine learning, imaging, sensing and onboard computing all fused into a prototype, and it's very difficult to know before a prototype exists what the correct prototyping approach is,” Walker explained.
“That’s kind of where we were with the idea of machines being able to do fundamental computer security tasks in 2013. All these technologies for studying programs -- everything from formal methods and automated mathematics to search and Monte Carlo input-generation techniques like fuzzing, directed fuzzing, dynamic analysis, sandboxing, the healing of execution divergence -- all these things were research papers had been published that said we can automate this to better inform the analyst,” he added.
All the chains of technology and capability ended at a person, Walker said, and the question at the center was, what if they didn’t end at a person? What if they could be tied together, and what’s the best way to do that?
When the CGC began taking shape in 2013, Walker sought participation from teams from all over the world.
“I believe crowdsourcing was the right answer to that question, and that getting global innovation in on the problem helped us get a much better result today,” he said.
(Follow Cheryl Pellerin on Twitter @PellerinDoDNews)