U.S. Markets closed

Hackers have developed autonomous programs that'll hunt down and fix your vulnerabilities

Daniel Howley
Technology Editor

On Aug. 5, in a packed ballroom in the Paris Las Vegas hotel, seven teams of 68 programmers, hackers and researchers made history.

The teams, which were participating in the Defense Advanced Research Projects Agency’s (DARPA) Cyber Grand Challenge, proved that software they built could autonomously hunt for, identify and fix tiny vulnerabilities in programs. These are the kinds of vulnerabilities that hackers can use to do things like create viruses to take over your computer or break into ATM machines.

DARPA holds grand challenges on a regular basis, but the Cyber Grand Challenge was the first of its kind: A contest between autonomous machines without any human intervention. And of the teams that participated, one, ForAllSecure, took the $2 million first-place prize.

“It’s been a rollercoaster,” ForAllSecure team leader, Carnegie Mellon University professor David Brumley, said following the event. “At this point, we’re really happy. We’re excited. We just won $2 million.

A glimpse into the future

Usually when you think of DARPA, you probably think of things like self-driving cars, robots and railguns. But what these programmers managed to accomplish in Las Vegas is every bit as important and crazy as anything DARPA has ever done.

See, in order for hackers break into a computer system, they have to find vulnerabilities in its underlying software. That task might be easier for hackers than you’d suspect. That’s because the software we use everyday — whether it’s our computers’ operating systems or a favorite web browser’s — is built upon millions of lines of code written by regular people. And since humans are imperfect, it’s only natural that their code won’t be perfect, either.

Brian Katt/Wikipedia

Hackers spend their time trying to find those flaws so they can exploit them and take control of computer systems to steal anything from movies to financial information.

Normally, it takes the good guys up to a year to find such weak areas, fix them and send out the patches that we download to prevent hackers from attacking our own computers. In the meantime, those hackers can do as much damage as they want until the fixes are in place.

By now you should get the sense that computer hackers have an incredibly lopsided advantage over security experts in the fight to keep your computers safe. Think of it like two armies going up against each other, except one is armed with giant walking super tanks and the other has … sticks.

And that’s where the Cyber Grand Challenge comes in. Previous iterations of DARPA’s Grand Challenge saw competitors take part in hugely ambitious, nearly sci-fi trials such as building some of the first self-driving vehicles and autonomous robots.

But the Cyber Grand Challenge could have a greater impact than both of those. It could put an end to viruses and hacks that can attack everything from your connected coffee maker to your smart thermostat and, yes, those self-driving cars and robots from DARPA’s previous challenges.

Capture the flag

To test the competitors’ autonomous programs, DARPA modeled its challenge on a common hacking game: capture the flag. In the hacking version of capture the flag, teams of hackers and programmers are provided with identical pieces of software in which that they have to find flaws and vulnerabilities that can be exploited and hacked for points.

When a team locates a vulnerability, they can choose to either patch it on their own system to protect against other teams’ hacks, or attack other teams. The team with the most points at the end wins.

In the Cyber Grand Challenge’s version of capture the flag, the seven teams had to develop their own software that was smart enough to find flaws in the programs provided by DARPA and decide whether to defend against attacks or make attacks on its own.

That’s no small task, either. The kind of people who take part in these challenges are usually among the best in the world. And for a computer program to even come close to the abilities of a human hacker is unbelievable.

Fighting the baddest bugs

Even more impressive is the fact that the teams participating in the Cyber Grand Challenge never saw the programs DARPA threw at them during the event. So the teams had to make their own software smart enough to deal with every contingency. And the teams certainly delivered.

DARPA’s CGC Finalists (image:DoD photo by Cheryl Pellerin)

Not only were the seven teams’ individual programs able to find flaws in DARPA’s software on their own, but they were also able to defend against and fire off attacks at their competitors. To add an extra wrinkle to the challenge, DARPA loaded its software with some of the most devastating vulnerabilities in history including the Heartbleed bug, which terrified the world in 2014. That single bug gave hackers the ability to steal usernames and password information for protected sites that everyone originally thought had been secure.

Amazingly, the Cyber Grand Challenge teams’ programs were able to locate and fix the Heartbleed bug in no time. Even more impressive, though, is the fact that one team’s program was able to identify a flaw in DARPA’s own software. That’s right, the software that DARPA was using to feed bugs to the teams’ programs had a flaw of its own and a team found it.

That’s the equivalent of telling the College Board its solution to the most difficult math problem on the SAT is wrong and that you’ve figured out the real answer. So yeah, it’s pretty incredible.

Naturally, the computers powering the teams’ programs had to be astonishingly powerful. In fact, according to DARPA, the teams’ computers required enough juice to power a city block. That kind of computing power generates a lot of heat. So DARPA had to truck in sour industrial cooling units, since the hotel didn’t have the capacity to keep the systems cold.

So, where do the Grand Cyber Challenge’s competitors go from here? Well Brumley and ForAllSecure said they’ll get back to trying to create software that will make the world safer online.

“We’re going to continue looking at better ways to find vulnerabilities and to really scale [this software] to a larger number of programs,” Brumley said. “We think the world needs this kind of tech out there.”

More from Dan:

Email Dan Howley at dhowley@yahoo-inc.com; follow him on Twitter at @DanielHowley.

Correction: David Brumley is a professor at Carnegie Mellon University. This article previously stated that he taught at UCSB. The error has been corrected.