Security

Carnegie Mellon Win Attests to Benefits of Automated Security in DARPA Competition

• By Dian Schaffhauser
• 08/08/16

A start-up that formed at Carnegie Mellon University has won $2 million in the first-ever all-machine hacking tournament. The Las Vegas event was hosted by DARPA, the Department of Defense's Defense Advanced Research Projects Agency, which focuses on national security. The importance of the DARPA Cyber Grand Challenge was that over 12 hours seven teams applied cyber reasoning systems to protect networks and keep applications running autonomously.

Those seven teams were winnowed down from more than a hundred originally playing in earlier qualifying rounds, many of which included the top security researchers and hackers in the world. They're accustomed to playing in highly competitive "capture the flag" tournaments, which test their abilities to evaluate software, seek out vulnerabilities, generate security patches and apply them to computers on the network. But this time the players were machines designed by those kinds of experts, enabling the event to reach its overall goal: to validate the concept of automated cyber defense, bridging the gap between top-notch security software and cutting-edge program analysis research.

"Mayhem," the system built by ForAllSecure, gained the most points as it protected hosts, scanned the network for vulnerabilities and maintained working software.

The automated systems did so well, according to one organizer, they even ended up identifying, locating and protecting against an unknown vulnerability that wasn't part of the game. "In a five-minute window," marveled the organizer in a "highlights" video, "a totally previously never seen before challenge binary was researched, evaluated and found vulnerable and patched by a completely autonomous system."

"Our vision is to check the world's software for exploitable bugs so they can be fixed before attackers use them to hack computers," added David Brumley, CEO of the company behind the winning system as well as director of Carnegie Mellon's CyLab Security and Privacy Institute, and a professor of electrical and computer engineering. "We believe our technology can make the world's computers safe and secure."

ForAllSecure was co-founded in 2012 by Brumley and two Carnegie Mellon graduate students. The startup currently has eight employees and is based in Pittsburgh.

Other teams with institutional representation included Shellphish, which grew out of a security hacking group at the University of California, Santa Barbara; TECHx, a joint University of Virginia and GrammaTech initiative; and CodeJitsu, which brought together researchers from the University of California, Berkeley, Syracuse University and Cyberhaven.