DARPA’s all-machine cyber challenge

The automation of cyber defense will take center stage at the Defense Advanced Research Projects Agency’s Cyber Grand Challenge next month.

During the 10-hour Aug. 4 event, seven teams and their high-performance machines will compete to “capture the flag,” a computer security challenge that demonstrates hackers offensive and defensive skills.

According to DEF CON, the annual hacking conference in Las Vegas, the Cyber Grand Challenge will be the first all-computer hacking tournament where machines will try to find and fix bugs in real time by reverse engineering software, probing the security of opponent software and re-mixing defended services with machine-generated patches and defenses. The idea builds on the growing use of machine learning to automate data analytics, which is especially important as the Internet of Things proliferates and more sensors and smart devices connect.

The need for fully automated, autonomous cybersecurity is growing as technology outpaces humans’ ability to manually manage it. And the need to quickly spot and repair software glitches is increasing exponentially as more sensors and smart devices are connected, according to a report in Defense Systems.

Cyber Grand Challenge Program Manager Mike Walker said the amount of deployed code is expected to reach 1 trillion lines by the middle of the century, according to Defense Systems. “That does not count the number of times those lines have been replicated, turned into binary code, stamped into chips that can no longer be updated,” Walker said. “And those chips have been put into ‘things’ and those ‘things’ have been distributed around the world.” That means the number of potential vulnerabilities will explode.

In qualifying heats last year, competitors had to study 131 pieces of software to find 590 flaws that DARPA knew about, and though no team found all the bugs, the best results from each were combined to completely patch the test code by the end of the competition, according the Defense Department.

In the final round in August, each of the seven teams will use a DARPA high-performance computer powered by about 1,000 Intel Xeon processor cores and 16 terabytes of RAM. The computers will run an open-source operating system extension called DECREE -- for DARPA Experimental Cybersecurity Research Evaluation Environment -- built expressly for computer security research and experimentation. Competitors have to program the computer with a “cyber reasoning system” that will automatically find and address exploitable flaws in the DARPA-supplied code.

“The cyber reasoning systems will also be networked so they can examine their competitors’ software for flaws and get extra points if they can automatically generate proof-of-concept exploits for bugs found in their opponents,” according to The Register.

Additionally, during the competition, viewers will see on a screen what the hack bots are doing in the seven computers, while commentators provide the play by play, according to a recent Wired article. DARPA built the visualization with videogame company voidAlpha.

“What’s happening inside the central processing unit? What’s happening inside the memory?” Walker told Wired. “That’s what we’re trying to do here.”

DARPA has invested $55 million in the competition. The winner will get $2 million, while the runner-up and third-place winner will get $1 million and $750,000, respectively.

The inspiration for the competition comes from DARPA’s 2004 Grand Challenge to build a self-driving car. Although no contestant succeeded in that challenge, it inspired others to build such vehicles successfully -- and the same is expected to happen this time around.

“The agency isn’t expecting any team to produce a perfect system that can find and fix all flaws this year,” the article states.