DARPA's Cyber Grand Challenge

Computers Taught to Hack Themselves

The Defense Advanced Research Projects Agency (DARPA), held a competition last Thursday, where seven computers tried to hack each other. With $55 million on the line, all seven teams cut the (figurative) cord and watched their systems attack and defend with no human interference.

The Cyber Grand Challenge (CGC), for which teams started research back in 2013, pitted code against code in an attempt to identify as many software vulnerabilities as possible. Equally impressive, the systems also patched any vulnerabilities they could find in their own software. Seven supercomputers each guarded a server while trying to break into their opponents’. No one knew what type of software DARPA would install for the competition, and even unintended vulnerabilities were found.

"The Cyber Grand Challenge pitted code against code in an attempt to identify as many software vulnerabilities as possible."

In over 8 hours of competition, divided into 96 rounds of about 270 seconds each; the machines wrote 421 new or replacement sections of code and 650 unique proofs of vulnerability. Finding and patching vulnerabilities is still a human skill, and a rare one at that. Today’s autonomous systems may soon learn to find familiar bugs faster than humanly possible, but trickier bugs will still need human intuition.

The type of hacking competition DARPA held, where hackers attack and defend from each other, is commonly known as “Capture the Flag”. These type of competitions have until now been difficult to watch because of their being in cyberspace. To help this, DARPA partnered with San Francisco based gaming company voidAlpha to visualize what is happening inside the machines.

Groups of hexagons stand for services running inside the machines. Colored lines show data flowing into these services, including probes from competing machines. This allows the audience to see when a bot finds a security hole, when it patches a hole, or when it exploits another machine.

Team ForAllSecure, a startup of computer scientists from Pittsburgh, placed first earning a $2 million prize. Their entry, Mayhem, will also be allowed to participate in DEFCON’s hacking challenge, and this will be the first time a machine has been allowed to participate. Second place belonged to TECHx, a team of software analysis experts from GrammaTech Inc. and the University of Virginia with a $1 million prize. Third place was team Shellphish, a group of Computer Science graduates at the University of California, Santa Barbara, who won $750,000.

This competition has marked an important step in security going forward. With huge numbers of products joining the internet of things, new software is needed to protect everything from your computer to your light bulbs. Although software can’t completely replace human bug hunters yet, they can be used to find and patch large numbers of common vulnerabilities.

For those interested, an expanded highlights reel from the competition can be found here.