Cyber Grand Challenge Taking Place This Week
The Aug. 4 event in Las Vegas in collaboration with DEF CON 24 is the culmination of a multiyear DARPA competition: Seven high-performance computers will compete live in the world's first all-machine game of Capture the Flag.
This is a big week for the hacker community, with both DEF CON 24 and DARPA's Cyber Grand Challenge taking place at the Paris Hotel & Conference Center in Las Vegas (and at Bally's, in the case of DEF CON). DARPA calls its event "the ultimate test of wits in computer security," an open competition and "the world's first all-computer Capture the Flag tournament." It is a final event on Aug. 4 featuring seven prototype systems competing for nearly $4 million in prizes in a live network competition.
In Capture the Flag contests, experts reverse-engineer software to find deeply hidden flaws and create securely patched replacements; DARPA modeled the Cyber Grand Challenge on thes tournaments in order to "create public proof that it's possible to automate the cyber defense process with machines that can discover, confirm and fix software flaws in real-time," according to the agency.
"The Heartbleed security bug existed in many of the world's computer systems for nearly two-and-a-half years before it was discovered and a fix circulated in the spring of 2014, by which time it had rendered an estimated half a million of the internet’s secure servers vulnerable to theft and other mischief," DARPA notes. "And while Heartbleed was in some respects an outlier, long-lived critical flaws in widely deployed bedrock internet infrastructure are not rare. Analysts have estimated that, on average, such flaws go unremediated for 10 months before being discovered and patched, giving nefarious actors ample opportunity to wreak havoc in affected systems before they move on to exploit new terrain. The reason for these time lags? In contrast to the sophistication and automation that characterize so much of today's computer systems, the process of finding and countering bugs, hacks and other cyber infection vectors is still effectively artisanal. Professional bughunters, security coders, and other security pros work tremendous hours, searching millions of lines of code to find and fix vulnerabilities that could be taken advantage of by users with ulterior motives.
"But what if that system of finding and fixing flaws were just as fast and automated as the computer systems they are trying to protect? What if cyber defense were as seamless, sophisticated, and scalable as the internet itself?" Those are questions the Cyber Grand Challenge seeks to answer.
"Playing in a specially created computer testbed laden with an array of bugs hidden inside custom, never-before-analyzed software, the machines will be challenged to find and patch within seconds—not months—flawed code that is vulnerable to being hacked, and find their opponents' weaknesses before the defending systems do. The entire event will be elaborately visualized on giant monitors in the Paris Las Vegas Hotel's 5,000-person-capacity auditorium while expert 'sportscasters' document the historic competition. And it may not end there," according to the agency’s outline of the event. "The organizers of DEF CON CTF have boldly invited the winning automated system to compete against the world's best human hackers in their Capture the Flag competition the following day, Aug. 5. That would be the first-ever inclusion of a mechanical contestant in that event, and could presage the day when, as eventually happened with chess and Jeopardy!, a computer proves to be the Grand Master of cyber defense."