Supercomputers offer a look at cybersecurity's automated future

dsc05068

DARPA's Cyber Grand Challenge held its final round on Thursday.

Credit: Michael Kan

Seven supercomputers competed in a contest to find software vulnerabilities

Giant refrigerator-sized supercomputers battled each other on Thursday in a virtual contest to show that machines can find software vulnerabilities.

resume makeover multimedia

Writing a resume means knowing your audience. If you try to please everyone, you’ll only wind up with

Read Now

The result: the supercomputers time and time again detected simulated flaws in software.

It represents a technological achievement in vulnerability detection, at a time when it can take human researchers on an average a year to find software flaws. The hope is that computers can do a better job and perhaps detect and patch the flaws within months, weeks or even days.

Thursday’s contest, called the Cyber Grand Challenge, was a step in that direction. The final round of the competition pitted computers from seven teams to play the hacking game “Capture the Flag,” which revolves around detecting software vulnerabilities.

All the machines were brought together to compete in Las Vegas at DEF CON, a cybersecurity event where human hackers have annually played the Capture the Flag game for years.

However, this time, the fully-automated computers were the sole participants, and during the competition, none of them had any help from their human creators.

To score points, the computers played 96 rounds, in which they authored streams of new code to both prove vulnerabilities existed in software and patch flaws. All of this was done in minutes.

Modified versions of bugs including Heartbleed, Sendmail crackaddr and the Morris Worm were also thrown at the computers, and certain machines detected and repaired them.

Officials at DARPA, the U.S. defense agency that sponsored the contest, said the machines gave a possible glimpse of the future of cybersecurity.

“We’ve proven that this automation is possible,” said Mike Walker, program manager for the Cyber Grand Challenge.

However, it still remains to be seen when these supercomputers might be used in real-world environments. For instance, the machines that played the Capture the Flag game analyzed the flaws within a simplified operating system. That’s considerably different from scanning a real OS – which is large and often encompasses a whole ecosystem of software products.

Nevertheless, the supercomputers are up to the challenge, said David Brumley, a designer of one of the machines. His unit, called “Mayhem” was declared the preliminary winner in Thursday’s contest and could come away with the US$2 million grand prize.

“Cybersecurity has really relied on human effort, and we still need that, but we haven’t done enough to automate,” he said. ForAllSecure, his company in Pennsylvania, has already been using its machine-based detecting techniques to find flaws in Linux.

“We can start making a difference right away,” he said. However, Brumley hopes his technology can get more funding.

On Friday, the contest will announce the official winner, and that machine will go on to another test -- organizers will pit it against actual human players at a Capture the Flag game at DEF CON.

DARPA doesn’t expect the machine to win. Walker said the scenario is similar to when early chess programs faced off against the best human players.

However, it only took a few decades before those programs began besting human opponents, he said.  

“Automation has nowhere to go but get better,” Walker added.

Windows Server 2016 licensing and servicing options explained
View 2 Comments
Join the discussion
Our Commenting Policies

    2 Comments
    7 days ago
    Ken Z
    I'll bet all of these machines are running Linux.
    What else would supercomputers use besides Linux? ---Nothing else is up to the task.

    ---yet why no mention of the operating system here in this article?
    This point alone reveals a carp-load about Computerworld.

    What would you hear and read about if they were all running some proprietary vendors operating system. Yea it would be pasted all over the article. Funny how the Linux word is never mentioned in these articles on supercomputing. Call me a cynic but it seem to reveal quite a bit about the publisher.
    4 days ago
    MurryPhillips
    I do not know about Computerworld, however the reporter Michael Kan could be the issue. Because he is a Beijing Correspondent should say a lot.  However in his defense, we all have our own agenda and will report on what at the time feels important. Not just Computerworld but the entire news industry is getting really bad. 
    View All 2 Comments