“Mayhem” declared winner of Cyber Grand Challenge
05 August 2016
The automated system outperforms competing machines in high-stakes final event aimed at revolutionising software vulnerability detection and patching.
Capping an intensive three-year push to spark a revolution in automated cyber defence, DARPA announced that a computer system designed by a team of Pittsburgh-based researchers is the presumptive winner of the Agency’s Cyber Grand Challenge (CGC), the world’s first all-hacking tournament.
The winning computer system, dubbed Mayhem, was created by a team known as ForAllSecure - one of seven teams that competed for nearly $4 million in prizes in an all-day competition, performed in front of 5,000 computer security professionals and others at the Paris Las Vegas Conference Centre.
Xandra, a computer system designed by team TECHx of Ithaca, N.Y., and Charlottesville, Va., was declared the presumptive second-place winner. Mechanical Phish, a system designed by team Shellphish of Santa Barbara, Calif., was named the presumptive third-place winner. First place in the CGC carries a cash award of $2 million; second- and third-place teams will receive $1 million and $750,000, respectively.
DEF CON organisers are expected to formally invite Mayhem to participate in this year’s DEF CON Capture the Flag competition, marking the first time a machine will be allowed to play in that historically all-human tournament.
“I’m enormously gratified that we achieved CGC’s primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defence is indeed possible,” said Mike Walker, the DARPA program manager who launched the challenge in 2013.
DARPA’s Cyber Grand Challenge was designed to accelerate the development of advanced, autonomous systems that can detect, evaluate, and patch software vulnerabilities before adversaries have a chance to exploit them. The seven competing teams in the final event were composed of white-hat hackers, academics, and private-sector cyber systems experts.
The need for automated, scalable, machine-speed vulnerability detection and patching is large and growing fast as more systems - from household appliances to major military platforms - get connected to and become dependent upon the internet. The process of finding and countering bugs, hacks, and other cyber infection vectors is still effectively artisanal. Professional bug hunters, security coders, and other security pros work tremendous hours, searching millions of lines of code to find and fix vulnerabilities that could be taken advantage of by users with ulterior motives.
The Heartbleed security bug existed in many of the world’s computer systems for nearly two and a half years, for example, before it was discovered and a fix circulated in spring 2014. By that time, the bug had rendered an estimated half million of the internet’s secure servers vulnerable to theft and other mischief. Analysts have estimated that, on average, such flaws go unremediated for ten months before being discovered and patched, giving nefarious actors ample opportunity to wreak havoc in affected systems before they move on to exploit new terrain.
This event was the first head-to-head competition among developers of some of the most sophisticated automated bug-hunting systems ever developed. For almost ten hours, competitors played the classic cybersecurity exercise of Capture the Flag in a specially created computer testbed laden with an array of bugs hidden inside custom, never-before-analysed software. The machines were challenged to find and patch within seconds - not the usual months - flawed code that was vulnerable to being hacked, and find their opponents’ weaknesses before the defending systems did. The entire event was visualised for attendees on giant monitors and livestreamed for remote viewers, with expert “sportscasters” documenting the historic competition.
“This may be the end of DARPA’s Cyber Grand Challenge but it’s just the beginning of a revolution in software security,” Walker said. “In the same way that the Wright brothers’ first flight - although it didn’t go very far - launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defence. That is a huge advance compared to where the cyber defence world was yesterday.”
For more about the Cyber Grand Challenge, including competition details and videos about the competing teams, please visit www.cybergrandchallenge.com.