What if humans didn’t have to respond to major hacks or breaches in the networks they operated, and computers could just do it automatically? That’s a question being asked by DARPA, the US military’s boldest research arm, which set up a multi-million dollar challenge to answer that question.
DARPA
Last night in a Las Vegas ballroom at DEFCON, seven illuminated server racks sat atop a massive stage where participants in the Cyber Grand Challenge deployed their specialised software that tried to defend against bugs, and roll out patches in real time to try to stop them from crippling their system. The winning team would walk away with two million dollars, offers of government contracts and hacking fame.
It was the culmination of a challenge started in 2013 by DARPA. After ruthless qualifying stages, seven teams were sitting just outside the stage watching their creations defend for attacks and try to solve complex challenge binaries, all while sports like commentators were calling out the action to a crowd of cheering fans.
“I was mostly surprised the scores were so close to each other,” Dan Guido, CEO of technology company TrailsOfBits and first round Cyber Grand Challenge competitor, told Gizmodo. “When the qualifying event was held a year ago there were several more breakaway teams that scored significantly more points than other teams that were playing. In this final event, everyone was tracking really close to each other. There was real competition here. This is significant because a team like Mayhem had a couple of years head start, whereas many of these teams started from nothing two years ago and created a fully working system that went head to head with them.”
Mayhem, built by a startup ForAllSecure working out of Carnegie Melon, took home first place. The teams were scored on three factors: Evaluation skill (finding bugs), patching skill (patching and eradicating bugs) and availability (assessing the damage to see if the system has broken or slowed down while trying to patch and find bugs). Availability turned out to be a huge factor, as the scores were determined by adding evaluation and patching skill, multiplied by availability.
“The teams that couldn’t keep their services up or teams that couldn’t respond to requests suffered really big differences in scores,” Guido said. “Everyone was pretty much finding most of the bugs, but if a team stumbled on availability, they basically never recovered.”
These teams had to defend against now dated security nightmares like Heartbleed, which was a major flaw in the SSL protocol. DARPA challenge operators fed these bugs to each team’s system, and participants just had to as had to hope that their software would be able to patch them in real time without crippling their system. After all, the final challenge strictly forbid any manual input from participants. Once the software fired up, the humans could only watch from afar and pray that the software they’d spent years building wouldn’t fail.
Closeup of “Mayhem”. The winner of the @DARPA Cyber Grand Challenge. #defcon pic.twitter.com/WTBJcjm0hI
— Nicholas J. Percoco (@c7five) August 5, 2016
This is obviously much more than a competition. DARPA is trying to help fund the next generation of cyber defence, and a system that works autonomously will be much faster and efficient when it comes to responding to cyber attacks. This challenge was an important first step to achieving the technology that would allow automated systems to find and patch bugs. This means that in the future, major security flaws could be less of a headache for the billions of the people that use the internet.
These anti hacking systems were built on a specialised operating system called Decree, so we won’t see the disparate systems merged and implemented in the real world overnight. But the research has helped advance certain components of these systems, lessons that will eventually be applied in the real world.
As Guido said, “Because of this challenge, all of a sudden people had a renewed interest into this field and they were forced to make major advances in the two years that the competition has taken place.”