Resistance is futile: DARPA’s competition to automate security

Fighting robots

At the DEF CON hacker conference in Las Vegas this week, the US Defense Advanced Research Projects Agency (DARPA)’s much-anticipated event finally took place – the “world’s first all-machine hacking tournament.”

Over the last few years, seven teams built their own “Cyber Reasoning System” (CRS), automatic systems that sniff out security issues in software – learning as they go – and fixing the problems, too.

Each team’s CRS competed during a 12-hour capture-the-flag event. It was assessed based on how well it performed against specific challenges: evaluating flaws and fixing them while making sure their fixes didn’t fundamentally change the software’s performance.

Born from faculty and alumni of Carnegie Mellon University, ForAllSecure were the overall winners of the tournament. The team netted the $2m Grand Prize with their CRS, named “Mayhem”.

DARPA wants to speed up a lot of components in security research – like finding vulnerabilities, patch creation and application – by using machine learning to have computers do this work automatically, and a lot faster than humans would.

The reason DARPA wants to take these tasks out of human hands is that we just can’t keep up with all the security flaws and related maintenance and mitigation tasks.

As we’ve previously noted here on Naked Security, one of the reasons the idea of automated security is so powerful is that defenders have to try to lock down all possible attack vectors, while an attacker only needs to have one success.

“Our best data tell us that that hole will work for about a year before it’s discovered by defenders… You want computers to be able to defend themselves, and it’s going to change the balance of power between attackers and defenders.” – DARPA program manager Mike Walker, 60 Minutes

Given how long it can take for an attack on an organization’s systems to even be noticed, let alone fixed, if defenders have automated machine-learning arsenals on their side, the fight becomes that bit fairer.

The implications of the success of the CRS tournament are indeed wide-ranging. Securing the software that runs our electrical and water infrastructure with CRS testing could help keep these sensitive systems tightly secured. And the rampant security lapses we see in consumer IoT devices could be significantly reduced if tested and fixed by automated CRS testing.

The CRS shown at the DARPA tournament demonstrate proofs of a concept that could change the face of security as we know it. But no one’s in danger of losing their information security careers to the robot overlords just yet.

It may not be too far away though, after all, there are already services to automate blog writing.