Science

This System Won a DARPA Contest by Hacking Its Rivals

Seven systems fought in the Cyber Grand Challenge -- without human interaction.

by Mike Brown
ForAllSecure/Twitter

A system called Mayhem has been declared the presumptive winner of a groundbreaking new competition that pits machine against machine. The Cyber Grand Challenge (CGC), ran by the U.S. Department of Defense’s DARPA lab, described itself as the world’s first all-hacking competition. The game involved no human interaction — the systems were challenged to discover, fix, and exploit bugs in seconds that could have been undiscovered for months.

The CGC ended in a grand final in Las Vegas Thursday night ahead of the DEF CON hacking convention. The end of a three-year competition, the CGC’s grand prize of $2 million cash pushed some of the best minds in cybersecurity to give it their all.

Mayhem is expected to be invited to compete against humans on Friday at DEF CON. It will be the first time a machine has participated in DEF CON’s “Capture the Flag” competition.

“This may be the end of DARPA’s Cyber Grand Challenge but it’s just the beginning of a revolution in software security,” said Mike Walker, the DARPA program manager who launched the challenge in 2013, in a statement.

In the CGC, seven completely automated systems competed in a 96-round final spanning almost 10 hours. In that time they analyzed specially-written programs, tried to find flaws that would cause them to “die,” and fixed them. At the same time, systems aimed to exploit their rivals’ flaws before they could defend.

Professor David Brumley, a co-founder of Mayhem’s team ForAllSecure, is a passionate advocate for the CGC. In a blog post ahead of the final, he explained that the competition gives researchers a chance to compare, contrast, and work out the best ways systems could automatically fix themselves.

“Think about it: if we could develop computers that could automatically find vulnerabilities, then the good guys could fix them first,” Brumley said.

ForAllSecure explained that winning system Mayhem actually works in two parts: the Mayhem symbolic executor, and a directed fuzzer called Murphy (named after team member John Davis’ cat). Unlike the symbolic executor’s slower analysis, fuzzers test programs by feeding them large amounts of random data. Murphy is great for quickly finding simple bugs, leaving Mayhem to find deeper, more complex issues. The two talk to each other through a database, comparing results.

Mayhem may have won the battle, but it’s only the beginning. The breakthrough has the potential to revolutionize industries — DARPA estimates that exploits on average go undiscovered for around 10 months.

“In the same way that the Wright brothers’ first flight — although it didn’t go very far — launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense,” Walker said. “That is a huge advance compared to where the cyber defense world was yesterday.”