Last night, DARPA’s long-planned Cyber Grand Challenge came to a dramatic finish in a 10-hour battle royale at Defcon, pitting seven automated security systems against each other to see which could find, exploit, and patch software vulnerabilities most effectively. The CMU-based ForAllSecure team emerged as the winner, finishing the 95-round contest with a clear lead after pulling ahead in round 10.
True to predictions, keeping the systems running proved to be one of the most significant challenges, and even ForAllSecure’s winning Mayhem system scored zero in a number of later rounds due to system failure. Mayhem was trailed by the Xandra (built by researchers from GrammaTech and the University of Virginia) and the Mechaphish (built by researchers from UC Santa Barbara), which were awarded $1 million and $750,000, respectively.
One of the main surprises of the event was the inclusion of a number of vulnerabilities that mirrored real-life security issues, including the Heartbleed bug that caused havok for OpenSSL systems in 2014.
Still, when the systems were working best, they were able to identify vulnerabilities, reverse-engineer exploits, and deploy a successful patch to stop the attack, all in a fraction of a second. The challenge’s program manager, Mike Walker, called the event a "clear proof of principle that machine-speed, scalable cyber defense is indeed possible."
"I’m confident it will speed the day when networked attackers no longer have the inherent advantage they enjoy today," Walker said.