Guest Editorial by Y Tran, Field Marketing Specialist, GrammaTech
In August 2016, GrammaTech competed as one of the seven finalists in DARPA’s Cyber Grand Challenge (CGC), the world’s first all-machine hacking tournament.
GrammaTech’s Team TECHx, collaborating with software experts from the University of Virginia, ultimately won second place and brought home a $1 million prize, all in the name of cyber security research and development.
(Seven high performance Cyber Reasoning Systems Finalists successfully played a game of Capture the Flag during the Final Event of DARPA’s Cyber Grand Challenge. In doing so, they made history, proving that it is possible to automate cybersecurity. Courtesy of DARPAtv and YouTube)
There is a long tradition of computer-based Capture the Flag games in the hacker community, with a number of variations, the most famous, perhaps, at the annual DEF CON in Las Vegas.
The Cyber Grand Challenge followed the same basic structure as these Capture the Flag contents, but took the game to a whole new level by automating the entire thing, ending up with a Capture the Flag game whose competitors were not (or weren’t directly) teams of humans, but rather pieces of software.
In the actual outdoor game, teams compete to bring home opponents’ flags, while at the same time trying to protect their own.
At the Cyber Grand Challenge, the “flags” were system vulnerabilities, and teams competed to spot and prove one another’s vulnerabilities while protecting their own, using fully autonomous systems called Cyber Reasoning Systems.
Each of the Cyber Reasoning Systems played all of the roles that the members of a human team would play: analyzing software components, designing and implementing security fixes for its own system, designing and implementing attacks against other systems, and strategizing.
The challenge started in 2014, allowing what was initially over 100 teams to be whittled down through qualifying events to just 7 teams for the final event.
During the final event, DARPA distributed Challenge Binaries (CBs) that implemented network services, which had been specifically crafted to contain different vulnerabilities.
The Cyber Reasoning Systems could re-write the CBs to make them less vulnerable while simultaneously exploiting the vulnerabilities in other systems’ CBs.
When a team’s system successfully attacked another system’s CB, it gained points, and when a system’s fielded CB was successfully attacked, it lost points.
(DARPA’s liquid-cooled data center, the “arena” for the Cyber Grand Challenge, was built in only 29 hours. The stage is home to seven teams’ Cyber Reasoning Systems. These CRS are the sole competitors in this, the world’s first machine vs. machine game of Capture the Flag. Courtesy of DARPAtv and YouTube)
Point scoring, in addition to the above scenario of defense and offense, also included availability, which made things a bit more complicated.
The final points were measured as an equation of availability x security x evaluation, so the Cyber Reasoning Systems had to handle all three areas simultaneously, as the absence of one would lead to a score of 0. Teams’ unique strategies influenced the scoring of each factor differently.
GrammaTech’s intensive research in software assurance, binary analysis, software hardening, and autonomic computing aligned closely with the CGC’s objectives and therefore put the company in a good position to drive TECHx to second place.
Xandra, TECHx’s Cyber Reasoning System, used sophisticated binary analysis technology and an autonomic computing technology called PEASOUP (Preventing Exploits of Software of Unknown Provenance), which was originally developed as part of a research contract with the U.S. Air Force.
While the Cyber Grand Challenge undoubtedly promoted the development of autonomic computing within the security community, it also highlighted a serious problem: the inadequacies of current security systems.
With the increasing connectivity of the modern-day IoT landscape, the development of automated security systems is more imperative than ever.
GrammaTech‘s research in autonomic computing carries this goal, bringing many technologies together to create fully-functioning systems that can detect when they are under attack and protect themselves against exposing critical data or crashing altogether.
As DARPA stated, “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”