Bug Hunting Cyber Bots Set to Square Off at DEF CON

DARPA’s Cyber Grand Challenge is set to culminate Thursday with a competition at DEF CON it’s calling the CGC Final Event.

LAS VEGAS — A government project in the works since 2013 is set to conclude Thursday at DEF CON when DARPA’s Cyber Grand Challenge culminates with a competition it’s calling the CGC Final Event.

The challenge will mirror Capture the Flag competitions usually held at the hacking conference. CTF contests pit groups of hackers against each other to explore code, identify weaknesses and unearth data. But this is the first time that individuals won’t participate in the challenge; instead, high-tech, autonomous computers, meticulously programmed by teams, will play the game.

DARPA announced cursory details around the event in October 2013 when it said it planned to sponsor a $2 million hacking contest at DEF CON 2016. At the time, prospective competitors were told they’d have to build an unmanned system to go up against similar systems to proof, check and patch vulnerabilities.

Two years later, seven teams, composed of researchers, hackers, academics, and startups will square off on Thursday, the first day of this year’s DEF CON, at the Paris Hotel.

In the competition, once the network is activated, code is dumped and each machine will control a defended host. Like in a usual CTF, a referee doles out code in packets, with new challenge binaries—small, original programs written with one or more vulnerabilities—peppered throughout. The challenges contain flags that machines will have to either protect or capture.

Machines will have to protect their digital flags on the fly while patching bugs, some which may have never been seen in the wild before. Teams will be awarded points for securing flags, keeping their system functioning, and for taking flags.

Essentially, the machines will be giant cyber-reasoning systems, each one able to search systems for vulnerabilities, write their own intrusion detection signatures, and issue patches.

One of DARPA’s main goals for putting the Cyber Grand Challenge on is to spark the idea of autonomy in cybersecurity. These days, it isn’t uncommon for companies to take weeks, if not months to develop and deploy patches for vulnerabilities. Could it be possible one day for a system to identify and mitigate vulnerabilities over the course of a few minutes?

Mike Walker, Program Manager at DARPA, is eager for the event but admits he’s unsure what the end result will be.

“Unlike the case with self-driving cars, where the path to full autonomy, while challenging, is now just a matter of technological advances, we still don’t know if autonomy involving the kind of reasoning that’s required for cyber defense makes conceptual sense,”  said Walker, who’s been organizing the Cyber Grand Challenge since joining the agency in early 2013. He hinted it may take a while to connect the dots.

“Everybody will get some little piece of it right and they’ll learn from each other,” he said, “prototyping on a very quick deadline can have enormous results.”

DEF CON organizers will play along and even invite the winning machine to face off against real hackers the following day, though it’s unclear how it will fare.

“We certainly don’t expect any machine to win against humans at DEF CON this year. But at a minimum we’ll learn a lot from seeing how the systems fare against each other, and if we can even provide a clear proof of concept for autonomous cyber defense, that would be revolutionary,” Walker said.

A system will even allow the audience to watch dense visualizations showing the seven super computers, working at lightning fast speed, both in person at the 5,000-person Paris Hotel & Conference Center, and online.

“We get data for all these interactions that are happening and we’ve turned it into a big picture view that I like to think of as a three-ring or more accurately a seven-ring circus,” Matt Wynne, a designer with VoidAlpha a computer simulation firm said. The firm is pairing with Vector35, a company that was founded by former Capture The Flag junkies, to develop real-time visualization techniques to complement the competition Thursday night.

DARPA gave teams two years to fine tune their systems after paring the field down from the 104 teams that initially registered. The agency ultimately selected seven teams from the 28 that made the qualifying round in 2014 to appear in this week’s CGC finals.

One of the systems, Rubeus, put together by a group of engineers at Raytheon codenamed Deep Red, got the highest performance score in the qualifying round and was even able to improve its memory usage over time.

For many groups, in addition to beating the competition and winning the coveted prize money, the competition serves as an opportunity to find real life parallels, especially in the IoT spectrum, to their research.

“As more devices get connected to networks, the attack surface is growing so large that it’s impossible for people alone to close every gap,” Jack Harrington, VP, Cybersecurity and Special Missions, Raytheon IIS said, “The automated cybersecurity technologies coming out of our cyber centers and the DARPA competition are the first step toward having machines actively protect themselves.”

For Dr. David Brumley, CEO of ForAllSecure, a team forged through connections made at Carnegie Mellon University, it’s all about ensuring civilians can one day verify that the software in their connected devices is safe.

“For me personally, I want to make sure that everyone can check the security of the software they’re using. I want to make sure that the person who buys a smart refrigerator knows that it’s not going to be a new avenue for someone to steal their new credit card number,” Brumley said.

Giovanni Vigna, a University of California Santa Barbara professor who is leading Shellphish, a group of students from the school’s SecLab hacking team, told Threatpost that the past few weeks leading up to the Cyber Grand Challenge have been brutal for his team.

“It has been an excruciating month. The whole team has been working days and nights (mostly nights!) to get this done. Everybody is really excited (and exhausted). This is a very first for everyone involved. Nobody thought it would take so much work,” Vigna said.

Shellphish’s speciality is binary analysis. Python framework the group came up with dubbed Angr is composed of algorithms that can analyze firmware in small devices, smart locks and other IoT devices, like lightbulbs and cameras.

After putting so much work into their system, Mechanical Phish, Vigna hopes things go accordingly Thursday night.

“We are terrified that a small mistake might just crash the system and completely put us out of the game. It would be a bummer after so much work. It would be like being a self-driving car for months only to see it falling into a ditch 10 yards after the start.

Suggested articles