Bug-hunting software would act faster, potentially patching vulnerabilities as soon as it sees them being exploited. The Cyber Challenge is testing out the most elemental form of the idea, but if the test models become practical, it would be a pivotal change for the security profession, which currently assumes that any widely used software has vulnerabilities we don’t know about. Computability theory dictates that the programs won’t be able to find every vulnerability, but just outrunning human researchers and speeding up the patch cycle would be enough to fundamentally change the way software works. “It is utterly disruptive to the way we think about computer security,” Walker says. “Right now we’re worried about you clicking the wrong link, or knowing about that command and control server as a threat indicator, but we’ve given up on the software safety part of it. It’s considered an unsolvable problem.”
For now, Walker is most concerned with showing the idea can work at all. The entries submitted today will be run against a suite of test software, with the best entries receiving funding from DARPA. The funded teams will compete against an open field in a series of challenges leading up to Defcon 2016, where the finalists will go head to head, using high-powered computers to show off their programs in front of a live audience. To test out the programs, Walker’s team is providing a brand new binary executable format and 100 new pieces of software. Each one comes with a clear task and a clear success state; the attacker’s job is to make it fail. That means any vulnerabilities will be completely new and useless for attacks on existing software. As Walker put it, “We needed a desert to play in.”
Dynamic defense is the future. We currently operate under the premise that network devices and endpoint software are essentially dumb, which is why we require very specific types of cyber defense appliances and endpoint protection mechanisms (ie. IPS’s, sandbox analysis, anti-virus/anti-malware software, etc).
If software can detect an attack and defend itself appropriately, then much of what we know about network security today will dramatically change.