Hackers to Military: Replace Us with Robots –Don’t Think So!

darpa-screen-grab.jpg
DARPA's "Grand Challenge": $2 million prize for making cyber security smarter

 Every year, thousands of information-security specialists, computer scientists, and few mohawked geeks who proudly wear the moniker of hacker gather here for a very particular digital war game:, the DEF CON capture- the-flag, or CTF, competition. To win, you have to find weaknesses in other teams’ defenses, steal their data flags, and protect your own.
But next year, it won’t just be humans squaring off. In addition to the regular DEF CON CTF event, the 2016 meeting will pit seven teams’ robotic hackers against each other in an AI capture-the-flag contest. Then humans will take on the robots.
The robot-vs.-robot battle is part of the Defense Advanced Research Projects Agency’s Cyber Grand Challenge series of competitions. (DARPA is not involved with the robots-vs.-humans competition, although some teams may participate in both, agency spokesman Jared Adams said.)

The arrival of an AI system that can outflank humans in breaching security and protecting data in a dynamic game environment would be a force multiplier for defensive cyber security and even offensive cyber warfare. But will war in a machine environment necessarily favor the machines? Not according to many of the hackers at this year’s DEF CON. Everyone who talked to Defense One about next year’s competition were confident that it would be years before a robot team would beat human hackers at their own game. 

Cyber Grand Challenge program manager Michael Walker laid out why it’s a better test for artificial intelligence than many other game scenarios, like chess or checkers. “You have to do binary reverse engineering the entire time,” he said, referring to the practice of dissecting and reconstructing program files. “The only way to figure out how the software works is to reverse…and do it as fast as you can while your opponents are trying to the same over you,” Walker said. “To even explore the state space, I have to be able to synthesize logic.” 

Robot hackers also have to be able to exhibit some very humanistic behaviors — skepticism, creativity, and even the ability to bluff — gray areas that get machines into trouble in games that aren’t perfectly straightforward. It’s one reason why computers that can dominate at chess get into trouble when the game requires what might be called instinct, like poker. “If machines can’t win at go, can’t win at poker, do they have a chance at all? That’s exactly what we’re talking about,” Walker said. 

But if one of the seven robot teams wins, will it signal the end of the era of human hacking in the same way that the self-driving cars foretell the end of human driving? Well, not quite. The Cyber Grand Challenge won’t be the free- for-all that is the regular CTF. It will take place within DARPA’s DECREE operating system, released as open source last year.  DECREE has seven system call types, or syscalls, ways a user can talk to the operating system’s input/ output manager. In the context of information security, syscalls are tools you can use for attack. Because the DARPA CTF will be limited to seven syscalls, it will be a rather more tame version of the regular DEF CON CTF, in which teams working in an X86 environment might use 200 syscalls.

This all means is that the contest will be more of a boxing match and less of a street brawl. 
So do the hackers think a robot is going to beat them? “Absolutely not,” said one, who declined to be named but is a self-described hacker who was providing technical support to the DEF CON CTF this year. “There are classes of challenges that will always be outside of the capabilities  of machines,” he said. “CGC is primarily focused on memory corruption vulnerabilities. That doesn’t include classes of bugs that are logic errors which are ridiculously difficult to detect autonomously. Like, how do you tell if something is intentional behavior, a back door, or a programming mistake?”
Ryan Grandgenett, an information assurance researcher at the University of Nebraska, agreed that humans would probably beat out machines for the foreseeable future. “I know that Google has made some pretty big advancements in chatbots that look like humans, but I don’t know about something this complex,” he said. 
Added Cmdr. Commander Michael Bilzor, an instructor at the United States Naval Academy, “Finding exploits is so much an art form right now. Particularly because the large space of operating systems.”
Not everyone was quite so pessimistic about the machine teams’ chances. One observer, who asked to be identified only as someone who had worked in a security operations center for a large university, said that he was impressed by the DARPA talk, and estimated that a machine would beat a human at seven to ten years from now. “If capture-the-flag is a number of flags in a time limit, a computer is going to have an advantage,” he said. 
And Bilzor said the terms of the fight mean that it’s no real contest at all. After all, in an actual battle setting, no hacker would limit the types of strikes or holds (syscalls) that they could use. “The only way to get the automated systems to play is to constrain the problem, which they’ve done.” he said. “If you’re talking about full spectrum vulnerability identification and exploit generation on any architecture, using any operation base and any syscalls set? You’re probably talking at least a decade, in my opinion,” he said. 

All trash talk aside, the DEF CON attendees were broadly appreciative of the DARPA effort and all the new open-source tools, like DECREE, that the agency has released for it. Overall, it’s already been a PR win for the agency, unlike the recent Robotics Grand Challenge event, which produced, primarily, laugh reels of robots falling down.  
The hackers just don’t think you can automate exploit fencing in a way that will threaten their livelihoods any time soon. Hear that, robots? The gauntlet has been thrown. 
DefenseOne: http://bit.ly/1DE7RdH

 

« Cyber Insecurity: Going Dark
A Drone That Hacks Computers »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Nuix

Nuix

Nuix specialise in extracting knowledge from unstructured data. Applications include Digital Forensics, Cybersecurity Intelligence, Information Governance, eDiscovery.

Beachhead Solutions

Beachhead Solutions

Beachhead's SimplySecure is a configurable, web-based management tool allowing you to remotely secure vulnerable mobile devices in your organization.

CodeOne

CodeOne

CodeOne provides solutions for website and web app security.

Cyber London (CyLon)

Cyber London (CyLon)

CyLon is a leading cyber security accelerator and seed investment programme. We help entrepreneurs from across the globe to build cyber security businesses, raise investment, and develop partnerships.

XLAB

XLAB

XLAB is an R&D company with a strong research background in the fields of distributed systems, cloud computing, security and dependability of systems.

GuardRails

GuardRails

GuardRails provides continuous security feedback that empowers developers to find, fix, and prevent vulnerabilities.

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

CMMC COE is an IT-AAC sponsored public–private partnership that will be the focal point for entities seeking to achieve Cybersecurity Maturity Model Certification.

AdEPT Technology Group

AdEPT Technology Group

AdEPT are a managed services and telecommunications provider offering award-winning, proven and uncomplicated technical solutions for over 12,000 organisations across the UK.

Brace168

Brace168

Specialising in Cyber Security incident identification and response, Brace168 is uniquely positioned to provide a vast experience in managed security services to meet the needs of all business types.

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) protects Singapore from external threats and safeguards its interests in areas related to terrorism, cyber security, other transnational threats, and geopolitics

StickmanCyber

StickmanCyber

At StickmanCyber we are on a mission to create a digital world that is safe for everyone - we are your trusted cybersecurity partner.

BalkanID

BalkanID

BalkanID is an Identity governance solution that leverages data science to provide visibility into your SaaS & public cloud entitlement sprawl.

Ridge Security

Ridge Security

Ridge Security enables enterprise and web application teams, ISVs, governments, education, DevOps, anyone responsible for ensuring software security to affordably and efficiently test their systems.

TrustMe

TrustMe

TrustMe’s integrated platform for business trust and resilience keeps organizations safe, secure, and trustworthy.

CHERI Alliance

CHERI Alliance

CHERI Alliance is an industry initiative spearheading the global adoption of the Capability Hardware Enhanced RISC Instructions (CHERI) security technology across the computing industry.

RANE Network

RANE Network

RANE is a global risk intelligence company that provides critical insights and analysis to more efficiently anticipate, monitor, and respond to emerging threats.