In a large ballroom inside the Paris Hotel in Las Vegas earlier this month, the next leap forward in the digital revolution took place in front of a crowd of hundreds of hackers in town for the Def Con security conference.
There wasn’t a charismatic CEO on stage who would demonstrate a revolutionary new smartphone, nor was there an engineer showing off computer hardware that would be standard for years to come.
Instead, on stage in front of the audience in Las Vegas were no humans at all. There were just seven supercomputers, demonstrating for the first time that the security of networks, computers, and the very Internet itself, could potentially be saved by fully-autonomous systems, independent of any human control.
‘There’s no way I can keep up with that’
The event in the Paris ballroom was the culmination of a competition created by DARPA, the US military’s research-and-development arm, called the Cyber Grand Challenge. Announced in 2013, its goal was to figure out whether a machine could discover, confirm, and fix software flaws in real-time.
To understand why this was such a big deal, it’s worth explaining what the status quo is.
Throughout the entire history of computing, software programmers would write code, test it, and then ship it out to the world. They might have quality assurance, but inevitably, there would be some bugs, or worse, major security vulnerabilities that could be exploited by hackers to take control of a system or cause damage.
There were infamous examples like the Morris worm, which slowed the nascent Internet to a halt in 1988. Ten years later, an infamous hacker group testified before Congress that it had a different method that could take down the Internet in just 30 minutes with just “a few packets.” And more recently, a flaw named “Heartbleed” was discovered that had wide-ranging effects on the encryption that protects online transactions and other sensitive data.
Since software is built by humans, and humans always make mistakes, it’s inevitable that problems would arise. But what if a machine could be the human’s QA department, analysing, discovering problems, and fixing them, automatically?
That’s what DARPA was seeking, and that’s exactly what it got.
“I just keep thinking,” Tyler Nighswander, a member of the winning ForAllSecure team, said during the competition. ‘Man, our [cyber reasoning system] does these awesome, fast decisions, fast patches, fast exploitation, and as a human, there’s no way I can keep up with that.'”
‘We would have been talking about science fiction’
The final event of the CGC was much like a sporting event, with a live stream over the Internet and hundreds in attendance watching it happen as announcers offered a play-by-play. The event was a game of “capture the flag” between the seven computers with names like “Shellphish,” “Codejitsu,” and “Mayhem.”
Networked together, the computers would be fed never-seen-before software code, and then race to find the flaws within and fix it, while also defending their digital flags and pointing out problems with their adversaries.
“Mayhem” — which ultimately won the event — was built by ForAllSecure, a Pittsburgh, Pennsylvania-based startup founded by Carnegie Mellon alums. Much like their competition, the team led by Dr. David Brumley worked for two years to build a system that would be able to run through the challenges all while being able to react to the unforeseen, like running out of disk space.
One of those issues propped up about halfway through the competition. Mayhem — with a commanding lead over its competitors — started to crash and burn.
“We noticed that Mayhem didn’t work as intended,” Alex Rebert, cofounder of ForAllSecure, told Business Insider. “I think we noticed the issue at 2 or 3 p.m. The whole rest of the day we were just depressed, thinking we would lose.”
Fortunately for Mayhem, its early success in finding and patching vulnerabilities kept it high up on the leaderboard, while later challenges it sat out proved difficult for the other six teams. After 95 rounds of bug hunting and all-machine hacking, Mayhem was the champion, with “Xandra” not far behind.
ForAllSecure took home $2 million in prize money, which Rebert says will go to pay some of its team and fund future operations for the next year or two. But the competition was about more than glory, respect, or cash. It was about proving automated systems can protect everyone from the tens of thousands of known software flaws, and more importantly, the ones we still know nothing about.
“If we were to talk about something like this 15 years ago,” said Visi, a hacker announcing the tournament. “We would have been talking about science fiction.”
But it was all too real. The competition’s creators used real-world examples such as the Heartbleed bug and SQL Slammer — a nasty worm that took down 75,000 computer systems in 10 minutes back in 2003, according to Dark Reading.
But instead of these issues having to be worked on over days and weeks by humans, many of the systems found and fixed them within minutes.
“In a five-minute window, a totally previously-never-seen-before challenge binary was researched and evaluated and found vulnerable — and patched — by a completely autonomous system,” Visi said, of SQL Slammer.
Now that the competition is over, DARPA is hopeful that the technology may someday give defenders an upper hand against attackers within their networks. And it isn’t the only one: Researchers from Microsoft and Raytheon — which had a team in the competition — see these automated machines as having serious potential.
“This first step is about lighting a spark, igniting an automation revolution, and watching the technology that will follow Mayhem in the years to come,” said Mike Walker, DARPA program manager, at the ceremony to announce the winners. “Automation may someday overcome the structural advantages of network offence and give the defence a chance at a fair fight. It can’t happen fast enough.”