Hailed as the world’s first all-machine hacking tournament, the Cyber Grand Challenge was held on August 4 at the DEF CON annual conference in Las Vegas. The sponsor, DARPA (the Defense Advanced Research Projects Agency), is the organization that gave us the Internet. The original challenge was taken up by more than 100 teams three years ago. The seven finalist teams who moved on from that challenge to this year’s event are among the world’s most notable security researchers and hackers. After eight hours, it was the team from the ForAllSecure company and their machine called Mayhem that prevailed.
DEF CON is, according to its website, “one of the oldest continuously running hacker conventions around, and also one of the largest.” The annual conference shows a great deal of activity to go along with the usual keynote speakers: “movie marathons, scavenger hunts, sleep deprivation, lock picking, warez trading [copyrighted games or applications that have been cracked], drunken parties, spot the fed contest, and music events.” And then there are the attendees who play Capture the Flag 24/7. For them, DEF CON is a tournament—an opportunity to match your hacking skills against the best in the world. And if you prevail, you might even get a mention on the DEF CON CTF (Capture the Flag) History page.
In the past, Capture the Flag computer security competitions have pitted human teams and their machines against other teams’ systems, who simultaneously attack competitors while they repair damage on their own systems. This year, under the guidance of the Pentagon’s research arm, DARPA, the contest was just between powerful computers and their security systems. Announced three years ago, in October 2013, the long-term project sought answers for two fundamental questions: “What if computers had a ‘check engine’ light that could indicate new, novel security problems? What if computers could go one step further and heal security problems before they happen?”
To advance the research into these queries, the agency issued a public challenge that had a serious incentive attached:
“The Defense Advanced Research Projects Agency (DARPA) intends to hold the Cyber Grand Challenge (CGC)—the first ever tournament for fully automatic network defense systems. DARPA envisions teams creating automated systems that would compete against each other to evaluate software, test for vulnerabilities, generate security patches and apply them to protected computers on a network. To succeed, competitors must bridge the expert gap between security software and cutting-edge program analysis research. The winning team would receive a cash prize of $2 million.”
The basic idea was to create computers that could detect attacks and fix vulnerabilities before the attacker could cause any damage. The intention? To address an uncomfortable reality. The sponsor explained, “The growth trends we’ve seen in cyber attacks and malware point to a future where automation must be developed to assist IT security analysts.” DARPA cited the Heartbleed security bug as an example of malware that settled undetected on a half-million secure servers on the Internet, rendering those systems vulnerable to damage and theft for more than two and a half years before it was detected and patched. “Analysts,” the agency reports, “have estimated that, on average, such flaws go unremediated for 10 months before being discovered and patched, giving nefarious actors ample opportunity to wreak havoc in affected systems before they move on to exploit new terrain.”
The first ever cyber competition would happen on a network framework that was built to interface with other automatic systems. The challenge was to detect, isolate, and neutralize attacks that were designed to compromise the computer. No human intervention by the computers’ creators was allowed. At the end of the day, three winners took away $2 million (ForAllSecure), $1 million (the Xandra machine built by TECHx of Ithaca, N.Y.), and $750,000 (the Mechanical Phish by Shellphish of Santa Barbara, Calif.), respectively.
There’s a DARPA video replay of the eight-hour competition between the computers on stage. The teams and the machines are introduced, and the function of the referees is included. It’s a documentary-length presentation that’s a little heavy on the geek elements, but there’s a serious attempt to explain what’s happening and what it might mean to the future of computing. If you were fascinated by the video coverage of the competition between IBM’s supercomputer Watson and the Jeopardy champions, the Capture the Flag story is worth a look. It runs about two and a half hours.
DARPA’s Cyber Grand Challenge: Final Event Program. View it here.
The payoff for the three-year experiment will probably become a little clearer as the supercomputers in the competition get scaled down to systems that can be installed as self-repairing sentinels in commercial networks, and then, maybe someday, as “engine light” functions wired in to our home systems.