DARPA's $4M Cyber-Threat Clash Down To Seven Challengers

coondoggie writes: When it began a year ago, there were 104 teams competing for $4 million in prize money in the Defense Advanced Research Projects Agency (DARPA)'s ambitious tournament — known as the Cyber Grand Challenge (CGC) — to see who can build the best fully automatic network defense system. This week DARPA said that after a couple dry runs and a significant qualifying event the field of CGC teams is down to seven who will now compete in the final battle slated to take place at DEFCON in Las Vegas in August 2016.

Shellphish here!

[Zardus]

Hello! I'm the "team leader" of team Shellphish, one of the seven finalists. Super cool to see a story about us! If people have questions, I'd love to answer them if I can :-)

Re:Shellphish here!

My first question when seeing the list of finalists -
a) What languages do you all support
b) how many of you have software and/or time to look at other projects.

We have software which hole wise is probably premium Swiss Cheese grade. Would like for something automated to help find (at least) the larger holes.

Re:Shellphish here!

Hello. Could you give some details about how the contest works and what Shellphish does exactly ?

Re:Shellphish here!

[spiritplumber]

Have you consider partnering with Battlebots builders? (Team Bronco here)

Re:Shellphish here!

Don't build Skynet, please.

Re:Shellphish here!

[Joce640k]

Also let us know how an automated security product is supposed to work.

One of the fundamental tenets of 'security' is that it's a ongoing process, not a finished product:

https://www.schneier.com/essay...

Re:Shellphish here!

a) The program itself is trying to find problems in compiled x86 binaries. I can't speak to whether the teams programmed support for other languages just for the heck of it. :-) I at least would suggest that, if you don't have need to analyze the binaries proper or are working in some obscure language, you try to find a static analysis tool for your language of choice (I'm most familiar with C/C++ analysis and there are several options in that field) rather than use one of the ones out of CGC. Source code analysis is far easier and more mature than binaries.

(Disclaimer: my employer is also fielding a CGC team not Shellphish, though I'm not working on that project myself.)

Re:Shellphish here!

[Zardus]

As another commenter mentioned, the CGC looks at compiled binaries, regardless of language. In practice, most (all?) of the challenges were written in C. While, in principle, the choice of language shouldn't matter overly much, some languages make heavy use of constructs which seriously complicate analysis. For example, C++ vtables (https://en.wikipedia.org/wiki/Virtual_method_table) or Objective C's dynamic method lookup (http://stackoverflow.com/questions/14219840/how-does-objective-c-handle-method-resolution-at-run-time).

As for (b), we're all students and are pretty swamped. There are plenty of companies that do provide professional services. Grammatech (one of the other teams) and ForAllSecure (yet another competitor) both do, for example.

Re:Shellphish here!

[Zardus]

Security is definitely a constantly evolving arms race, and it's exactly that cat-and-mouse game that makes it fascinating. A key thing to keep in mind is that this contest isn't necessarily about creating an AI that evolves to respond to emerging attacks or new techniques. In fact, the scope of the Cyber Grand Challenge is quite well defined to identifying, exploiting, and patching memory corruption vulnerabilities.

The goal of the CGC, as we understand it, is to create a system that, given this human-specified model of "badness" and a model of a protection technique, is able to handle the rest in an automated fashion. The "arms race", for the time being, is going to continue to be played between humans -- new attack techniques and new defense techniques would be discovered by humans and programmed into the "Cyber Reasoning Systems", as the CGC terms our auto-hacking software. Rather than taking that fun part away from humans, the goal of the CGC is to relieve us of the task of analyzing/exploiting/patching individual pieces of software.

Re:Shellphish here!

[Zardus]

The contest works as follows:

- every team creates a "Cyber Reasoning System", which is software that takes a vulnerable application binary as input and outputs an exploit and a patched version of the binary
- when the contest starts, DARPA releases a crap-ton of applications (for the qualifying event, there were 131, some of which complex applications that comprised multiple binaries).
- each team's CRS analyzes these binaries (without human intervention), and submits the resulting exploits and patches to DARPA

For the final event, there will be multiple "rounds", in which our CRSes will attempt to hack the *patched* binaries provided to us by our competitors. Additionally, their exploits will be actively launched against our binaries, so we can do some traffic analysis on top of our program analysis.

For the contest, Shellphish put on our researcher hats (we are a bunch of graduate students) and condensed a lot of our recent research into an automated Cyber Reasoning System. Given that this was a student effort, there was the expected level of chaos (for example, at one point, one of my teammates accidentally ran "rm -rf /cgc"), and the expected level of fun (fun being defined as staying in the lab all night, working on automated hacking systems!).

In the more general sense of what "Shellphish does", we are a CTF (Capture The Flag) team. By CTF, in this context, I mean a computer security Capture the Flag contest, in which teams have to exploit services (network applications) to steal "flags" (random, secret data) from others teams and redeem it for points. Some popular CTFs are the iCTF (run by us at UCSB for students to participate in, http://ictf.cs.ucsb.edu/), CSAW CTF (run by NYU Poly, https://ctf.isis.poly.edu/), and, of course, Defcon CTF (the world championship, http://legitbs.net/). Shellphish is, I think, the oldest CTF team that's still playing (at least, definitely the oldest still qualifying for and playing Defcon CTF). I don't know how good a distinction that is, but it's something ;-)

Re:Shellphish here!

[Zardus]

Haha, that sounds like a badass idea! Does battlebot have any rules in place for "electronic warfare" like that?

Is that what you want?

[Gravis+Zero]

because that's how you get Skynet.

Re:Is that what you want?

[coofercat]

first you get a whole lot of very confused sysadmins during an outage ;-)

Re: Is that what you want?

SkyNet, and killer AI robots - is the whole point

Re:Is that what you want?

[Maritz]

If we develop an AI from the ground up, we would get to specify all of its preferences. Should be fairly easy from there to omit 'dominate world/all life' from the list. I think this stands even with self-improving AI; changes in goal are not the same thing as improvements. Obviously we anthropomorphise/project when we think about these things, but our drive to dominate and our political urge for power are hangovers from our evolution, not things that you would necessarily expect to apply to any and all things that 'think'.

Re:Is that what you want?

You haven't been paying attention. The current development approach in the AI field is empirical: Algorithms are constructed to mimic biologic intelligence, then massive amounts of data are fed into these algorithms to train them, then we measure the results. Long after these algorithms are used in production systems do computer scientists try to figure out what exactly they have created. (Remember the "do algorithms dream of electric sheep" stories lately? That was Google trying to figure out how their image recognition neural networks behave.) If we create actual AI following that approach, we won't be able to measure its preferences before it's too late, let alone specify any preferences.

proving defcon = govt

you need to see why now real hackers NEVER go there

Re:proving defcon = govt

[Demonoid-Penguin]

When did you finally crack that deep cover genius? Now Defence Contracting will have to change the name 'cause you've spoiled it all. You brave whistle-blower you.

Winning Network Defense is a Robot...

...that air gaps the network with a laser to the ethernet cable, and attempts to kill anyone who approaches the network with a USB stick, but simply falls down the stairs instead, twitching.

Re:Winning Network Defense is a Robot...

[Demonoid-Penguin]

...that air gaps the network with a laser to the ethernet cable, and attempts to kill anyone who approaches the network with a USB stick, but simply falls down the stairs instead, twitching.

You wasted your money investing in that venture.

It must hurt to lose a lucrative defence contract to a can of floor wax and a $2 sign that says "Do not run".

Cool!

[Demonoid-Penguin]

I remember back in the late '90s (when I was playing junior football with Moses) when the knee-jerk industry reaction to malware was to stop funding any sort of "active" defence systems development. True the old ping of death doesn't work anymore (it was a fun anti-cracker defence until the ISP put an end to it - a bit like burglars suing when they slip on your shiny floor and hurt themselves). I can think of a few interesting alternatives though, but I might just stick with the standard re-direct to an interesting picture for the time being given our silly "cyber-crime" laws.

.htaccess

[...]
Redirect 301 /admin http://www.ahtcc.gov.au/
Redirect 301 /administration http://www.ahtcc.gov.au/
Redirect 301 /shop http://goatse.info/
Redirect 301 /oscommerce http://goatse.info/
Redirect 301 /ipb http://goatse.info/
Redirect 301 /forum http://goatse.info/
Redirect 301 /user http://goatse.info/
Redirect 301 /manager http://goatse.info/
Redirect 301 /_vti_bin http://goatse.info/
Redirect 301 /admn/scripts/setup.php http://goatse.info/
Redirect 301 /w00tw00t.at.blackhats.romanian.anti-sec http://goatse.info/
Redirect 301 /manager/status http://goatse.info/

Capitulation of DEFCON

DEFCON supposed to be something of the people, not something for the TPTB

By having DARPA's involvement in DEFCON, the capitulation is complete

Re: Capitulation of DEFCON

You used to have a choice: with TPTB, against them, or neutral. No more. Now it's with the TPTB or you're a terrorist, and I don't need to speak out loud what happens then. This is the world we live in now and there is nothing we can do. In fact, I believe even thinking about that nothing we can do could be dangerous. We're being watched all the time now, or at least that's what we should assume.