Hackers have been breaking through a lot of government agency’s defenses these past years, and DARPA thinks it’s high time to do something about it. Pentagon’s mad science division has launched a new program called Rapid Attack Detection, Isolation and Characterization (RADICS), which aims to develop innovative technologies that can quickly detect and respond to cyber attacks. Not just any cyber attacks, though: RADICS was specifically created to deflect security threats on critical infrastructures in the US, especially those that are vital to the Department of Defense’s missions. The agency likely wants to make sure the government can quickly detect and fight off terrorists and/or hackers trying to switch off the country’s electricity or transportation systems.
The Defense Advanced Research Projects Agency in 2011 launched a program to help make “the code behind the physical control systems of an airplane or self-driving car,” for instance, “become mathematically, provably unhackable,” Carter said at a future technology forum hosted by the agency.
“DARPA’s already made some of that source code openly available online – it can give the Internet of Things a critical foundation of cybersecurity, which it’s going to need,” he said.
By 2020 there will be 250 million Internet-connected vehicles on the road, according to Gartner. A Wired journalist a few months ago had private researchers remotely kill the transmission of a Jeep on a St. Louis highway — while he was sitting in the driver’s seat.
The qualifying competition took the form of a CTF game, which in the cyber realm is a common and popular way for security experts to develop their skills. There are leagues and large-scale competitions devoted to it. Member’s the Army’s burgeoning Cyber Mission Force, in fact, recently staged a CTF game as part of their training.
For DARPA’s competition, teams built and programmed high-performance computers to play the game, in which the machines had to reverse-engineer software created for the contest and find and fix weaknesses hidden within. And because it was the first CTF event played solely by machines, it was conducted at a speed that human-controlled computers can’t match. A typical CTF tournament might involve participants analyzing 10 pieces of software over the course of 48 hours; in DARPA’s qualifier, the machines examined 131 pieces of software and had to do it in 24 hours, DARPA said. In total, the teams fixed all 590 software flaws the contest developers knew about.
“The results bode well for an exciting competition next year and confirm the value of using a grand challenge format,” Walker said. “With no clear best approach going in, we can explore multiple approaches and improve the chances of producing groundbreaking improvements in cybersecurity technology.”
Peiter Zatko, a respected computer security researcher better known by the nickname Mudge, says he’s leaving his job at Google to explore ways to help U.S. government make software more secure.
Zatko announced the move on Twitter.
An Obama Administration official tells Re/code that recent advances in using automated methods to analyze software code for vulnerabilities have spurred interest in government circles to see if there’s a way to standardize how software is tested for security and safety. “The Administration has had some discussions about the potential pros and cons of such a system and how it might be implemented,” the official said. The administration is interested supporting a feasibility study to determine if such techniques could work, the official said, but stressed that no plans have been finalized.
A former researcher with DARPA, the research arm of the U.S. Department of Defense, he joined Google along with fellow DARPA alum Regina Dugan to work on security research at the search giant’s Advanced Technologies and Projects Group.
This appears to be a big win for the US government, which is in bad shape lately and in need of brighter minds to help it close the many remaining open gaps.
Bug-hunting software would act faster, potentially patching vulnerabilities as soon as it sees them being exploited. The Cyber Challenge is testing out the most elemental form of the idea, but if the test models become practical, it would be a pivotal change for the security profession, which currently assumes that any widely used software has vulnerabilities we don’t know about. Computability theory dictates that the programs won’t be able to find every vulnerability, but just outrunning human researchers and speeding up the patch cycle would be enough to fundamentally change the way software works. “It is utterly disruptive to the way we think about computer security,” Walker says. “Right now we’re worried about you clicking the wrong link, or knowing about that command and control server as a threat indicator, but we’ve given up on the software safety part of it. It’s considered an unsolvable problem.”
For now, Walker is most concerned with showing the idea can work at all. The entries submitted today will be run against a suite of test software, with the best entries receiving funding from DARPA. The funded teams will compete against an open field in a series of challenges leading up to Defcon 2016, where the finalists will go head to head, using high-powered computers to show off their programs in front of a live audience. To test out the programs, Walker’s team is providing a brand new binary executable format and 100 new pieces of software. Each one comes with a clear task and a clear success state; the attacker’s job is to make it fail. That means any vulnerabilities will be completely new and useless for attacks on existing software. As Walker put it, “We needed a desert to play in.”
Dynamic defense is the future. We currently operate under the premise that network devices and endpoint software are essentially dumb, which is why we require very specific types of cyber defense appliances and endpoint protection mechanisms (ie. IPS’s, sandbox analysis, anti-virus/anti-malware software, etc).
If software can detect an attack and defend itself appropriately, then much of what we know about network security today will dramatically change.