On Thursday, Giovanni Vigna and his team of graduate students from the University of California, Santa Barbara will power up a supercomputer in the ballroom at the Paris Las Vegas hotel, sit back and make history. At least he hopes.
Vigna, a faculty member at UCSB where he runs the school’s Center for CyberSecurity, and his team, Shellphish, are taking part in a hacking competition called the Cyber Grand Challenge (CGC) and sponsored by the mad scientists at the government’s Defense Advanced Research Projects Agency’s (DARPA). You know, the folks who helped create the internet, pushed the development of self-driving cars and hosted a competition where a bunch of robots fell down … a lot? That’s DARPA.
The CGC won’t give us self-driving Ferraris or accident-prone robots, but it could see the dawn of intelligent computer programs that can protect our personal devices and even government facilities against cyber attacks. We’re talking about programs that can hunt for, fix and patch the kinds of software vulnerabilities hackers use to create viruses in mere seconds.
To put that in perspective, it currently takes human cyber security experts up to a year to find previously unknown software vulnerabilities, create patches for them and send out those patches to users. In the meantime, hackers can use those software vulnerabilities to break into everything from email accounts to power plants.
These vulnerabilities are the inevitable result of humans creating the programs we use every day. See, every piece of software you use has been programmed by human hands. And every once in awhile, a mistake slips by. A hacker’s mission is to find those flaws hiding in the millions of lines of code that make up a single program and exploit them to sneak into a user’s computer.
Vigna and Shellphish, though, are hoping their software can spot these flaws before the hackers and fix them before they can be exploited.
“If you write a program that does this, you have a program that is able to analyze another program and identify, exploit and patch vulnerabilities. It is going to push the limits of what can be done autonomously,” Vigna explained.
The CGC is made up of seven teams including Shellphish that will each try to prove that their software and way of thinking is the best bet to improve our cyber security. The CGC is using a familiar hacking game to test the teams’ programs called capture the flag (CTF). But whereas you probably played CTF on the playground, this version is played entirely inside of the teams’ computers.
In a normal game of hacker-style CTF, participating teams are given identical computers with similar software flaws. Each team is then tasked with finding those flaws on their own systems, patching them and then exploiting them on their opponents’ systems. At the CGC, however, all of this will happen inside of supercomputers so powerful they need to be cooled by industrial air conditioners.
“What DARPA tried to do is say: ‘Okay, let’s take the human out of the loop. If we don’t have the super good uber hacker and only have automated tools that have to work without any human intervention, who’s going to be best?” Vigna explained.
Vigna helped found the Shellphish team at UCSB in 2005 with a group of students. Since then, many of his students have gone on to be professors and internet security professionals.
But as older students graduate and move on from the team, Vigna said, more fresh faces come on board. The team working on the software for CGC is comprised of 13 people each of whom has one or more tasks to focus on to ensure the program works the way they think it should.
A failure of the software would be devastating for the team. After all, to get to the CGC, the Shellphish team had to compete against more than 100 other teams around the country in two preliminary contests. If the team wins, it will claim a piece of the $4 million grand prize. But more importantly a win could mean a way to help bring cyber attacks under control.
“The results of this research, this push for autonomous analysis, will be tools to check for vulnerabilities before sending out a program,” Vigna said. “So imagine you had the equivalent of a very good security tester and you are pushing out a new version of Internet Explorer. I say, ‘Well, we don’t think are holes in this that can be exploited, but let’s ask our automated checkers if that is actually the case.’ ”
If the automated programs don’t find any flaws, Vigna said, it’s safe to assume that new version of Internet Explorer, or whatever software you’re scanning, is safe and, as a result, far more difficult for hackers to break into. If the automated programs do find flaws, though, they can fix them and send out patches to every Internet Explorer user in the world.
This autonomous approach to security wouldn’t just benefit commercial software users, though. Vigna said it could also protected against state-sanctioned attacks by foreign actors.
The ability to proactively find flaws in software used in places like power plants means that if, for example, there is a cyber attack on one plant, the software could automatically detect the intrusion, shut the attack down, patch the vulnerability that allowed the attacker in and disseminate that patch to every other plant running the same software, ensuring that they’re protected.
As Vigna puts it: “I believe this event will push forward the state of the art of science. That’s the goal of DARPA, and it deserves high recognition for this.”
That said, even autonomous software won’t be able to make software invulnerable from exploits.
“There won’t be completely flawless programs,” Vigna said. “We can provide increasingly better security, but I don’t think winning the race of security is anywhere close. We will always find new ways to make insecure code.”
More from Dan: