DARPA launches challenge to help create hacker-proof software

The Defense Advanced Research Projects Agency isn’t shy about reminding folks every now and then that it developed the technologies that eventually turned into the Internet.

Forty-five years later, DARPA is consumed with figuring out how to make the technologies it unleashed more secure. It showed off more than 100 separate projects with that goal in mind in a demonstration at the Pentagon Wednesday, including an upcoming challenge program that aims to create computer systems that can help create hacker-proof software.

The Cyber Grand Challenge, set to formally launch in early June, will offer $9 million in prize money as an enticement for teams of experts to create systems that can automatically scan computer software for security vulnerabilities without human intervention. The thinking goes that if security flaws can be identified at “machine speed,” they can be patched long before hackers have a chance to find and exploit them.

“Today’s security products are just massive checklists that come with patches for vulnerabilities, signatures for malware, and all those checklists are built by knowledge workers who use analysis tools to look at software,” said Michael Walker, the program manager for the challenge. “We want to take those tools and move them into high performance computers and make them fully automatic. There’s very good proof that this is possible and the very first precursor systems are happening. Microsoft built a high performance computer that spent 200 machine years thinking about Windows 7 and trying to find vulnerabilities, and it found a third of all the critical security vulnerabilities that have ever been found in Windows 7. So Microsoft was able to remove them before it ever shipped to consumers. So we think these systems are ready to go out and actually defend networks on their own.”

Sign up for the online chat with Air Force Deputy CIO Bill Marion II on May 9, at 10 a.m. (EDT).


DARPA is not yet disclosing who it expects to participate in the challenge, but Walker said he expects a “good plurality” of the best minds in security automation to compete. The winning team will get $2 million and the rest will be divided amongst runners-up.

The competition will pit automated systems against one another in a contest to see which one can identify the most vulnerabilities in a newly-created operating system and software environment DARPA created just for the challenge. That’s being done so that competitors can’t use their knowledge of existing vulnerabilities in real-world software. Instead, it will be a contest of the best analytical methods for finding security weaknesses.

DARPA hopes the competition will ultimately improve each of the automated systems that take part in the challenge, hopefully to the degree that they get even better at sniffing out security holes than today’s best humans.

Eventually, the agency wants one of the machines to compete against real-world hackers in a “capture the flag” cybersecurity challenge. But Walker says that step is probably at best a few years away.

“If you look at how the DARPA vehicle grand challenges happened, they started out as prototypes in the middle of the desert. They were not ready for the streets of San Francisco,” he said. “Grand challenges happen right at the beginning of a new technology when we’re just trying to figure out which approaches work. What happens after that is the long road of research and development toward commercialization and productization and refinement. Before we even talk about how that’s going to happen, we have to prove that this idea is real.”


Hiring freeze or thaw? What OMB’s memo really says

DARPA challenge unshreds destroyed documents

DARPA network challenge

Tightening budgets force DARPA to alter course on R&D