Game over, security researchers – DARPA’s AI bug hunters are coming for your jobs

DEF CON A quest to build a smart computer system that finds and patches bugs faster and more efficiently than humans is off to a good start with all the teams in DARPA’s Cyber Grand Challenge performing very well indeed.

The contest, held at the DEF CON hacking conference in Las Vegas, was organised by the research arm of the US military and saw seven teams test out their automated seek-and-patch-ware in a simulated operating system. The eight-hour contest saw the teams find and patch 420 flaws and create 650 proofs of concepts.

“Our mission is to change what’s possible so we can take huge strides forward in our national security capabilities,” said Arati Prabhakar at the post-contest press conference. “We did it today and it was a very satisfying experience.”

Each team was equipped with a server containing 128 Intel Xeon processors running at 2.5 GhZ and boasting over a thousand processing cores, 16TB of RAM and a liquid cooling system that required 250 gallons of water per minute to cool the big iron. They were let loose on a custom-designed operating system and instructed to find flaws, patch them automatically, and provide proof of concepts for flaws in each other's systems.

At the same time seven other similar system were used by the judges to monitor the progress of the event as the systems ran 96 rounds lasting 270 seconds, with 30 second breaks in between rounds. At stake was US$3.75m in government greenbacks.

The competition, which has taken three years and $55m to set up, is designed to automate the whole process of bug hunting.

Mike Walker, the DARPA program manager overseeing the Cyber Grand Challenge, said that this was the first stage in a possibly decade-long process to automate security monitoring and make networks more resilient.

“We have redefined what is possible and we did it in the course of hours with autonomous systems that we challenged the world to build,” he said. “I want people to understand how difficult it is to build prototype revolutionary technology and field it in front of the eyes of the world. I have enormous respect for those folks.”

A DARPA representative told The Reg that at this stage the winning team, with 270,042 points, was the ForAllSecure team, founded by the Carnegie Mellon University professor of electrical and computer engineering David Brumley. Results aren't final, but if confirmed his team will scoop the $2m top prize.

The ForAllSecure team’s success was all the more surprising because a key bug finding system in the computer’s programming crashed around half way through the competition. It repaired itself and got back up and running before the competition ended but maintained a narrow lead until the end of the contest.

In second place, with 262,036 points, was the TechX team from GrammaTech and the University of Virginia, setting them up for a $1m payday. In third place was the Shellphish team, led by Professor Giovanni Vigna, director of the Centre for CyberSecurity at the University of California, Santa Barbara, who are in line for $750,000.

Once the results have been confirmed the winning system will be pitted against human foes in a capture the flag competition. Walker said that he didn’t expect the automated system to come close to matching fleshy competitors in the contest, but the first five minutes of the competition would give a good example of how computers could leverage their faster processing speed against human inventiveness.

This is a long road we are going to travel, Walker stressed. The first United States Computer Chess Championship took place in 1970 and it wasn’t until 1996 that IBM’s Deep Blue system finally beat a human grandmaster at the game - and then only at speed chess. But the fuse has been lit he said, and the clock is now ticking for professional bug hunters ... and perhaps the automated systems that could one day put them out to grass. ®