Stopping malicious hackers and securing software is extremely hard. But what if you could make software that hacks other software, finds bugs, and fixes it quicker than human hackers could?
The challenge boils down to an oft-repeated mantra in the world of information security (or cybersecurity, if you prefer the more sneezed-at term): attackers only have to win once—or find one bug—while defenders have to win all the time, with no margin for even one error. But automated security software could help: in essence, it would be a robot hacker that might actually really win all the time and stop its malicious counterparts.
That software doesn’t exist yet, but the Defense Advanced Research Projects Agency (DARPA), the US military's research arm, believes that it’s only a matter of time.
“I believe the world series of hacking will soon be won by a machine,” Mike Walker, a program manager at DARPA, said last year.
Walker was referring to the famed hacking competition known as “capture the flag,” where hackers compete trying to break into or defend systems. The most famous capture the flag competition is celebrated every year at Def Con, one of the world’s largest hacking conferences.
Next year, DEF CON will host the first capture the flag for computers only, where machines, instead of hackers, will compete against each other for a prize of $2 million in DARPA’s Cyber Grand Challenge.
For this challenge, more than 100 teams of computer security pros all over the world are building machines that, one day, might very well replace their overlords.
"Cyber Grand Challenge is here to put hackers out of work."
“If you wanted to take the human obsolesce, ‘robots are here to steal our future’ view of the world, Cyber Grand Challenge is here to put hackers out of work,” Andrew Ruef, a researcher at Trail of Bits, one of the companies that are participating in the challenge, told Motherboard.
But for DARPA, automation is the only way toward a more secure future.
“The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly,” Walker said. (DARPA declined to comment for this story.)
The inherent advantage of machines, obviously, is that they never sleep, and that they can perform more calculations per second than humans. So having machines scan software or networks for vulnerabilities and bugs, in theory, can be more effective than having a team of hackers, even the most brilliant ones, do the same.
But in reality, Ruef said, the machines can only get you so far, as they still need those hackers to program them and tell them what to do and what kind of bugs to look for. In other words, you can teach a computer to calculate the best way to go from point A to B, but the machine can’t came up, by itself, with the idea of going to point B, Ruef said.
“Humans still play a role in this, in that we encode the goal,” he said.
Moreover, it’s hard to program machines to have a hackers’ intuition. That’s why a future in which we don’t need real hackers and security researchers to protect computers and networks is probably still far away.
"You always are going to need that human who is thinking up a new attack and then programming the computer."
“Computers can do what we program them to do, but you always are going to need that human who is thinking up a new attack and then programming the computer,” David Brumley, the co-founder of the Pittsburgh-based startup For all Secure, and one of the early favorites of the challenge, recently told NextGov.
That’s why Ruef thinks that in a competition between machines and human hackers to find one bug in an extremely complicated program, a human hacker would probably win today.
Just like the research, DARPA’s challenge is also its early stages. This week, teams are going through a second dry-run to test their systems, ahead of the first official qualification event, which will be held on June 3. Those teams that make it through the qualification will then be evaluated by DARPA through the summer, and seven of them will make it to the final event in 2016.
One of the robot hackers will best the others and win its human overlords $2 million. Then, perhaps, one day, it will replace them.
Goodbye, Meatbags is a series on Motherboard about the waning relevance of the human physical form. Follow along here.