July 28, 2016
Four years ago, Carnegie Mellon professor David Brumley had an idea: automate the process of finding software bugs. These bugs are at an all-time high with the explosion of the Internet of Things—billions of connected devices, like smart thermostats or fitness trackers—which are manufactured with little attention paid to security. Now, building off research that began in Carnegie Mellon’s CyLab, Brumley is heading to a national stage to compete against the country’s best automated bug finders.
Next week, Brumley’s CMU-spinoff ForAllSecure will compete for the grand prize at the Defense Advanced Research Projects Agency (DARPA) Cyber Grand Challenge, a hacking contest between computers and computers alone, the first ever of its kind. The winner among the seven finalist teams will take home $2 million.
Brumley has a vision for ForAllSecure’s automated bug-finding system that reaches far beyond next week’s contest.
“What we hope to be able to do is make it so everyone can check the security of their software,” says Brumley, who wears several hats as CEO of ForAllSecure, director of CyLab, and professor of Electrical and Computer Engineering (ECE). “Right now, only the developer of that device or that program can check, but we want to free that ability for everyone.”
“We have a shared vision, and that vision is to make the world’s software safer by building better tools,” says ECE alumnus Thanassis Avgerinos of ForAllSecure, which he co-founded with Brumley and fellow ECE graduate student Alex Rebert. “We want to do this by developing a system that automatically finds security bugs before the bad guys do, and fixes them.”
Automated bug-finding is a relatively new area emerging in a field struggling to meet employment demands. But Brumley assures that automated bug-finding systems will not replace people; humans will always hold the necessary expertise and creativity in an ever-evolving cyber world, while automation will provide much needed speed and scale. More experts are needed, as the technology will only be as strong as the talent leading its development.
When it comes to defenders and attackers of software, there is currently a significant imbalance of power: defenders have to make sure every piece is secure, while attackers only need to find a single vulnerability—one hole in the software—to take control.
“Our best data tell us that that hole will work for about a year before it’s discovered by defenders,” DARPA Program Manager Mike Walker, the lead organizer of the Cyber Grand Challenge, said in a recent 60 Minutes interview. “You want computers to be able to defend themselves, and it’s going to change the balance of power between attackers and defenders.”
ForAllSecure’s automatic bug-finding system consists of multiple components all working in tandem. For example, while one component looks for bugs, another component takes those bugs and converts them into exploits while another fixes the software.
“Everything is working somewhat independently, almost like different people with different jobs,” says Tyler Nighswander, a School of Computer Science and Mellon College of Science alum and engineer for ForAllSecure.
The DARPA Cyber Grand Challenge final event will be held on August 4th in the Paris Hotel and Conference Center in Las Vegas.
Hear the podcast:
Watch the video:
See all CyLab News articles