Giant refrigerator-sized supercomputers battled each other on Thursday in a virtual contest to show that machines can find software vulnerabilities.
The result: the supercomputers time and time again detected simulated flaws in software.
It represents a technological achievement in vulnerability detection, at a time when it can take human researchers on an average a year to find software flaws. The hope is that computers can do a better job and perhaps detect and patch the flaws within months, weeks or even days.
Thursday’s contest, called the Cyber Grand Challenge, was a step in that direction. The final round of the competition pitted computers from seven teams to play the hacking game “Capture the Flag,” which revolves around detecting software vulnerabilities.
All the machines were brought together to compete in Las Vegas at DEF CON, a cybersecurity event where human hackers have annually played the Capture the Flag game for years.
However, this time, the fully-automated computers were the sole participants, and during the competition, none of them had any help from their human creators.
To score points, the computers played 96 rounds, in which they authored streams of new code to both prove vulnerabilities existed in software and patch flaws. All of this was done in minutes.
Modified versions of bugs including Heartbleed, Sendmail crackaddr and the Morris Worm were also thrown at the computers, and certain machines detected and repaired them.
Officials at DARPA, the U.S. defense agency that sponsored the contest, said the machines gave a possible glimpse of the future of cybersecurity.
“We’ve proven that this automation is possible,” said Mike Walker, program manager for the Cyber Grand Challenge.
However, it still remains to be seen when these supercomputers might be used in real-world environments. For instance, the machines that played the Capture the Flag game analyzed the flaws within a simplified operating system. That’s considerably different from scanning a real OS – which is large and often encompasses a whole ecosystem of software products.
Nevertheless, the supercomputers are up to the challenge, said David Brumley, a designer of one of the machines. His unit, called “Mayhem” was declared the preliminary winner in Thursday’s contest and could come away with the US$2 million grand prize.
“Cybersecurity has really relied on human effort, and we still need that, but we haven’t done enough to automate,” he said. ForAllSecure, his company in Pennsylvania, has already been using its machine-based detecting techniques to find flaws in Linux.
“We can start making a difference right away,” he said. However, Brumley hopes his technology can get more funding.
On Friday, the contest will announce the official winner, and that machine will go on to another test—organizers will pit it against actual human players at a Capture the Flag game at DEF CON.
DARPA doesn’t expect the machine to win. Walker said the scenario is similar to when early chess programs faced off against the best human players.
However, it only took a few decades before those programs began besting human opponents, he said.
“Automation has nowhere to go but get better,” Walker added.