Engineers Automate Software Exploitation and Patching

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
IEEE Spectrum reports that engineers from Carnegie Mellon University won a DARPA challenge to develop a machine that finds, and fixes, software exploits in bytecode all by itself. "Mayhem," as they call it, reportedly found over 14,000 unique vulnerabilities within the entire Debian Linux distribution within a one week period in 2014, though only 250 of them were "new". Later, in the DARPA challenge's 2016 finals, Mayhem competed against 6 other massive racks from competitors, edging out all the other systems even though it crashed close to the end of the competition. The report mentions that there were about 180 tons of water below the stage to keep all the systems cool, and that all the competing systems were airgapped, meaning they had to find and fix software vulnerabilities with no outside assistance.

ForAllSecure uploaded a video of their efforts awhile ago, which you can check out here.

Mike Walker, the DARPA program director, said that the event’s demonstration of autonomous cyberdefense was “just the beginning of a revolution” in software security. He compared the results to the initial flights of the Wright brothers, which didn’t go very far but pointed the way to transcontinental routes. Right now, ForAllSecure is selling the first versions of its new service to early adopters, including the U.S. government and companies in the high-tech and aerospace industries. At this stage, the service mostly indicates problems that human experts then go in and fix. For a good while to come, systems like Mayhem will work together with human security experts to make the world’s software safer. In the more distant future, we believe that machine intelligence will handle the job alone.
 

Revdarian

2[H]4U
Joined
Aug 16, 2010
Messages
2,616
I went directly to the source to read the article and then looked up the website.

Hats off, no pun intended, to these amazing White Hats, that they won in total points with only 40 of the 100 rounds of the contest with the machine working is a testament to just how sophisticated their machine was, even if at the time it was unstable.

It not only had to analyze binaries without source code, but it had to test the vulnerabilities, generate working exploits and issue the patches, holding some back while it tested the code if it determined that the fix could impact the speed too much (5% or higher). Really darned impressive.
 

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
I went directly to the source to read the article and then looked up the website.

Hats off, no pun intended, to these amazing White Hats, that they won in total points with only 40 of the 100 rounds of the contest with the machine working is a testament to just how sophisticated their machine was, even if at the time it was unstable.

It not only had to analyze binaries without source code, but it had to test the vulnerabilities, generate working exploits and issue the patches, holding some back while it tested the code if it determined that the fix could impact the speed too much (5% or higher). Really darned impressive.

Yeah, it's almost unbelievable. And it really makes me wonder how much further they've taken the concept over the last few years.
 

lostin3d

[H]ard|Gawd
Joined
Oct 13, 2016
Messages
2,043
automated exploitation with organic evolution of code ? That is a nightmare. and damn, i hope the black hats and other state agencies don't get their hands on this tech before everything is shifted to the cloud where it can be patched on the spot..

Exciting and scary. It's like those movie plots where a scientist makes some discovery proclaiming all the good it will do humanity and envisioning some Utopian dream, meanwhile a person in the background is on their cell phone 'making arrangements' .

I do agree though, congratulations to them on such an impressive achievement.
 

lostin3d

[H]ard|Gawd
Joined
Oct 13, 2016
Messages
2,043
Just seemed wrong not to have a pic of the guest of honor especially since it is a thing of beauty!
MzIxMzc0Nw.jpg
 
Top