Mayhem reigns
The DARPA Grand Cyber Challenge plays out in Las Vegas as machines battle each other for prizes.
Back in 2013, DARPA (the US defence agency which had a vital role in the research which led to the internet) announced its intention to hold a ‘Cyber Grand Challenge’, consisting of teams creating automated systems that could compete against each other to evaluate software, test for vulnerabilities, generate security patches and apply them to protected computers on a network.
In a press release, the agency pointed out that the process of finding and countering bugs, hacks, and other attack vectors “is still effectively artisanal”, with professional bug hunters and other security professionals dedicating a huge amount of effort searching millions of lines of code to find and fix vulnerabilities that could be taken advantage of by users with ulterior motives. Many teams took up this challenge, using technologies such as machine learning to try and automatically perform this work.
After preliminary rounds, the Cyber Grand Challenge final took place at DEF CON 24 in Las Vegas in August, with seven finalists aiming to capture the top prize of two million dollars for the team which outperformed the competition in a special ‘capture the flag’ contest. The systems, running on identical high-end hardware, battled for over eight hours to find and repair bugs in specially prepared software while at the same time using the flaw uncovered to attack their competitors.
The eventual winner was Mayhem, which was developed by ForAllSecure of Pittsburgh. In order to fuel follow-up research, all of the code produced by the automated systems during the final event has been released to allow others to learn from it (see http:// github.com/CyberGrandChallenge). The systems themselves run on a Linux-based environment known as DECREE, which includes support for specialised binaries used in the challenges themselves.
Mayhem was invited to participate in the annual human DEF CON capture the flag contest, where, as expected it placed last, but did manage to complete one task ahead of the other teams. DARPA hope that the research and development generated as a result of the competition will lead to new technologies and products, in much the same way as its autonomous vehicle competition did in 2005.