Supercomputers give a glimpse of cybersecurity's automated future

Seven supercomputers competed in a contest to find software vulnerabilities

Giant refrigerator-sized supercomputers battled each other on Thursday in a virtual contest to show that machines can find software vulnerabilities.

The result: the supercomputers time and time again detected simulated flaws in software.

It represents a technological achievement in vulnerability detection, at a time when it can take human researchers on an average a year to find software flaws. The hope is that computers can do a better job and perhaps detect and patch the flaws within months, weeks or even days.

Thursday’s contest, called the Cyber Grand Challenge, was a step in that direction. The final round of the competition pitted computers from seven teams to play the hacking game “Capture the Flag,” which revolves around detecting software vulnerabilities.

All the machines were brought together to compete in Las Vegas at DEF CON, a cybersecurity event where human hackers have annually played the Capture the Flag game for years.

However, this time, the fully-automated computers were the sole participants, and during the competition, none of them had any help from their human creators.

To score points, the computers played 96 rounds, in which they authored streams of new code to both prove vulnerabilities existed in software and patch flaws. All of this was done in minutes.

Modified versions of bugs including Heartbleed, Sendmail crackaddr and the Morris Worm were also thrown at the computers, and certain machines detected and repaired them.

Officials at DARPA, the U.S. defense agency that sponsored the contest, said the machines gave a possible glimpse of the future of cybersecurity.

“We’ve proven that this automation is possible,” said Mike Walker, program manager for the Cyber Grand Challenge.

However, it still remains to be seen when these supercomputers might be used in real-world environments. For instance, the machines that played the Capture the Flag game analyzed the flaws within a simplified operating system. That’s considerably different from scanning a real OS – which is large and often encompasses a whole ecosystem of software products.

Nevertheless, the supercomputers are up to the challenge, said David Brumley, a designer of one of the machines. His unit, called “Mayhem” was declared the preliminary winner in Thursday’s contest and could come away with the US$2 million grand prize.

“Cybersecurity has really relied on human effort, and we still need that, but we haven’t done enough to automate,” he said. ForAllSecure, his company in Pennsylvania, has already been using its machine-based detecting techniques to find flaws in Linux.

“We can start making a difference right away,” he said. However, Brumley hopes his technology can get more funding.

On Friday, the contest will announce the official winner, and that machine will go on to another test -- organizers will pit it against actual human players at a Capture the Flag game at DEF CON.

DARPA doesn’t expect the machine to win. Walker said the scenario is similar to when early chess programs faced off against the best human players.

However, it only took a few decades before those programs began besting human opponents, he said.  

“Automation has nowhere to go but get better,” Walker added.

Join the CSO newsletter!

Error: Please check your email address.

More about Linux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place