In the world of computer security, the bad guys are always 10 steps ahead of the good guys. But next month the mad scientists at the government’s Defense Advanced Research Projects Agency (DARPA) will bring together a group of the world’s best computer security experts to see if they can tip the scales in the good guys’ favor for once.
Dubbed the Cyber Grand Challenge (CGC), the event will determine if an autonomous program can hunt for security vulnerabilities that hackers can exploit to attack a computer, create a fix that patches that vulnerability and distribute that patch — all without any human interference.
“The idea here is to start a technology revolution,” said DARPA program manager for the CGC, Mike Walker.
What does that mean for you? Well, if all goes well, the CGC could mean a future where you don’t have to worry about viruses or hackers attacking your computer, smartphone or your other connected devices. At a national level, this technology could help prevent large-scale attacks against things like power plants, water supplies and air-traffic infrastructure.
So much code, so little time
At this point, you’re probably wondering why this is such a big deal. After all, your computer’s anti-virus program finds and fixes security holes all the time, right?
Yes and no. It’s true your own in-home anti-virus software can find security flaws and deal with them. But it takes real-live humans to design software to detect and fix those flaws.
Yes, people — albeit super smart people — are currently responsible for finding and fixing the security problems that make things like viruses and malware possible.
There are two ways companies can find security problems: proactively, that is, they actually search out flaws in operating systems or other programs; and reactively, where researchers learn about a security issue and get to work fixing it.
According to Walker, it takes security researchers an average of 312 days to discover security vulnerabilities in computer programs. During that time, hackers have the ability to do whatever they please with that flaw, whether that includes stealing Social Security information or breaking into your social media account. Even when security researchers actually know of a critical security flaw, Walker said, it takes up to 24 days to patch it.
Why does it take researchers so long to find and fix this stuff? Because the operating systems and programs you’re reading this very article on are created using millions of lines of code. And a single mistake in that code can be used to attack a computer system. To say finding those flaws is akin to finding a needle in a haystack is an incredible understatement.
And just to bring everything full circle, that means the security software on your computer can only recognize and fix security issues it has been programmed with. So while your security program may say you’re protected, you’re actually only shielded from the flaws security firms already know about.
You’re still totally vulnerable to the untold number of flaws that have yet to be discovered.
A grand challenge
That’s where the CGC comes in. The event, Walker explains, is akin to DARPA’s previous technology challenges including its famous self-driving car Grand Challenge, which began in 2004. Like that challenge, the CGC involves teams of researchers, students and programmers working to complete a specific goal.
In this case, the goal is to create a program that can sniff out software vulnerabilities, create a patch and implement it without any human intervention whatsoever. But the teams won’t be playing together. Instead, they’ll face off against each other in a form of digital capture the flag.
This isn’t your typical capture the flag-style game, though. In the cyber security space, capture the flag is played with groups of computer experts broken down into different teams. Each team gets the same kind of computer with the same built-in security vulnerabilities.
It’s the hackers and programmers’ jobs to find those flaws on their own systems, patch them and then tell the game’s referees the other teams might have the same flaw. If they’re correct and the other teams didn’t patch the error on their own systems, the reporting team gets a point.
It’s far more complicated than it sounds, though. The players have to scour lines of code for potential flaws and then figure out how to address them. They then have to see if they can exploit those flaws to compromise the other players’ systems. And they have to do all of this while trying to protect their own systems. So yeah, it’s difficult.
With the CGC, though, they have to create software that can essentially do all of the above on its own. According to Walker, the participating teams’ programs must be able to provide a “proof of vulnerability” in a system.
A proof of vulnerability system allows a program that a team has created to tell a DARPA referee that “it can control the crashing process of an opponent’s software. After making the claim to DARPA, the bot attempts to crash software on the remote system in a way consistent with its claim.”
The concept for the challenge kicked off in 2014, when DARPA held a worldwide call for contestants. That year, the challenge, Walker explained, was for competitors to develop an automated system that could provide an input that could crash a test system.
Of the more than 100 teams that participated in the 2014 event only seven were up to the task — including those with team names like ShellPhish, CodeJitsu and ForAllSecure. The CGC competition next month will be far more demanding.
A future without hackers?
The point of the CGC is to make the world of connected devices infinitely safer. Instead of taking nearly a year to find and repair software vulnerabilities, the kind of technologies these GCG competitors are creating could cut that time down to minutes or even seconds.
“Imagine a hacker in the future sitting at a keyboard armed with an unknown flaw they just discovered,” Walker posited. “They connect to a computer, they break in, and then 30 seconds later their connection is cut. When they try to get into a computer using the same hack and it won’t work.”
That kind of speed and responsiveness could drastically improve computer security across the board.
But it will be quite some time before we see this kind of technology implemented at the consumer level. That’s because the computer systems being used during the CGC are essentially super-computers worth thousands. That’s because the calculations these systems are performing require an incredible amount of horsepower that you just can’t find in your everyday computer.
“It’s difficult to think of this technology anywhere in the near term on anything but a super-computer,” Walker explained. “It could be used in the cloud, because there is an enormous amount of computing power required.”
That means, Walker said, companies like Microsoft could develop a means to test software for security flaws. If one is found, they could deploy a downloadable fix to users around the world via the internet in the same day.
Until then, though, stay safe out there.