This is Mayhem, the supercomputer that won a Pentagon contest to autonomously hunt software bugs.
The machine was built by a team from ForAllSecure, a technology startup that won first place in the Defense Advanced Research Project Agency’s Cyber Grand Challenge.
The contest, which took place Aug. 4 in Las Vegas and coincided with DEF CON, one of the world’s largest conferences for hackers, pitted seven supercomputers against each other in a digital game of “Capture to Flag” to comb software for problematic code.
The computers were big, standing several feet tall and requiring huge amounts of electricity and water to keep cool — some 300 kilowatts of electricity, enough to power one-and-a-half city blocks, and 180 tons of water at a rate of 200 gallons per minute.
ForAllSecure, a spinoff from Carnegie Mellon University in Pittsburgh, received a $2 million cash prize for placing first in the contest with its Mayhem machine.
“Our vision is to check the world’s software for exploitable bugs so they can be fixed before attackers use them to hack computers,” David Brumley, chief executive officer of ForAllSecure, director of Carnegie Mellon’s CyLab Security and Privacy Institute and a professor of electrical and computer engineering, said in a statement. “We believe our technology can make the world’s computers safe and secure.”
A team called TECHx with experts from GrammaTech Inc. and the University of Virginia, placed second, earning a $1 million prize; and another called Shellphish with graduate students from the University of California-Santa Barbara was the third-place winner, landing $750,000, the release states.
The goal of the DARPA project is to help develop bug-hunting bots that eventually could be used to better protect commercial and defense products, according Mike Walker, who manages the Cyber Grand Challenge program at the research agency.
“These machines behind me were built atop decades of program analysis science, engineered over two one-year stages of competition, and built by pioneers — program analysis scientists, hackers and engineers — so tonight, these machines will play Capture the Flag against each other,” he said in a YouTube video about the contest. “Tomorrow, we hope the lessons learned will change the field of computer security.”
According to DARPA, “the need for automated, scalable, machine-speed vulnerability detection and patching is large and growing fast as more and more systems — from household appliances to major military platforms — get connected to and become dependent upon the internet.
“Today, the process of finding and countering bugs, hacks, and other cyber infection vectors is still effectively artisanal,” the agency said in a release. “Professional bug hunters, security coders, and other security pros work tremendous hours, searching millions of lines of code to find and fix vulnerabilities that could be taken advantage of by users with ulterior motives.”
Increasingly sophisticated cybersecurity attacks not only result in theft and mischief, but also have the potential to damage physical structures and systems.
In a 2007 research effort called the Aurora Project, the Idaho National Laboratory showed the relative simplicity of hacking water and power utilities by flicking key circuit breakers, essentially using generators as weapons.
In December, the Ukrainian power grid was hacked, leaving hundreds of thousands of homes — about half — in the Ivano-Frankivsk region of the country without electricity. In 2010, the Stuxnet computer virus infected Iranian nuclear facilities in what Wired magazine called “the world’s first digital weapon.”
Walker, the program manager, compared the project’s potential to that of Stanley, the self-driving car that won the 2005 DARPA Grand Challenge, according to the release.
“Stanley earned its place in the Smithsonian by redefining what was possible,” he said in the release. “And today the technology descended from Stanley and his competition are driving on America’s streets all on their own. That long-awaited revolution is arriving on our streets and highways right now.”
Walker said the computer virus-hunting machines may someday eliminate the vulnerability posed by zero-day, a term defined by Wired as a security hole in software, such as a browser or operating system, that is yet unknown to the software maker or to antivirus vendors.
“Imagine the technology that will follow these first prototypes and what that technology will mean,” he said. “Imagine networks where zero day cannot happen to anybody, where zero day does not guarantee a hacker’s success, where defenders work together with guardian machines to keep networks safe.”