DARPA's Cyber Grand Challenge Heads to DefCon

The era of autonomous computing comes to security, but that doesn't mean that humans will become irrelevant.

Cyber Grand Challenge

Typically, a hacking tournament is made up of humans attempting to exploit code and applications, but that's not the case for the Defense Advanced Research Projects Agency (DARPA) Cyber Grand Challenge (CGC). The CGC occurs on Aug. 4 at the DefCon security conference in Las Vegas and will see seven different autonomous computing systems compete in what is being billed as the world's first all-machine hacking tournament.

The goal of the CGC is to promote autonomous computing approaches for the defense of applications and networks. The total prize pool is $3.75 million, with the grand prize winner receiving $2 million, second place getting $1 million and third place winning $750,000.

DefCon has long been home to one of the world's largest Capture the Flag (CTF) hacking team challenges. A CTF is a contest in which participants are rewarded for finding bugs and flaws in a fast-paced environment. With CGC, instead of humans, seven autonomous computer systems will compete against each other in a fully automated way.

The seven teams that have made it to the CGC finals are CodeJitsu from Berkeley, Calif.; CSDS (Cyber Security Development Solutions) from the University of Idaho; Deep Red from Arlington, Va.; disekt from Athens, Ga.; For All Secure from Pittsburgh; Shellphish from the University of California, Santa Barbara; and TechX from Ithaca, N.Y.

The TechX team is made up of researchers from the University of Virginia and GrammaTech, a commercial software assurance and security vendor.

"We do a lot of research together with universities and government institutions, including DARPA," Mike Brown, chief marketing officer at GrammaTech, told eWEEK.

While there is a lot of hype around the internet of things (IoT) market, security is a big challenge, Brown said. What makes the CGC interesting is it serves as a proving ground for technologies that GrammaTech sees as being fundamental for IoT devices to help secure themselves, he said.

DARPA will provide each team with application binaries that have defects or vulnerabilities in them. The TechX system, which is code-named Xandra, will have to automatically analyze, transform and run the application and keep it online, according to Brown.

"Each of the systems will also try and take one another down," he said. "So it will be a very interesting game."

GrammaTech and the University of Virginia have also developed Peasoup, an automatic software hardening technology that is used as a component in the Xandra system. Brown explained that the Peasoup program looks at software of unknown origins, transforming it into something that can safely and securely run in a network.

Peasoup was effective against software that was at risk from the OpenSSL Heartbleed flaw that first appeared in 2014. With Peasoup, patches were put in place in systems to prevent Heartbleed exploitation, even in cases where the defective OpenSSL code was still present.

"Even if the code itself is still defective, with Peasoup, the attack surface is effectively blocked," Brown said.

The CGC and the move to help create a new era of autonomous security defenses don't necessarily mean that humans will no longer be needed to help secure devices. Brown emphasized that there is a distinction to be made between autonomous computing and fully artificial intelligence (AI).

"This is very different than AI. These are systems that understand attack vectors and can block attacks, as well as transform themselves," he said. "But at the end of the day these are not artificially intelligent systems; these are autonomous systems that are controlled by policies."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.