DARPA Celebrates Cyber Grand Challenge Winners

Members of ForAllSecure, the developer of first-place finisher Mayhem, appear on stage at the Cyber Grand Challenge closing ceremony with CGC Program Manager Mike Walker and DARPA Director Arati Prabhakar.

DARPA officials released partial final, audited results (Aug 7) of yesterday’s all-day Cyber Grand Challenge (CGC) Final Event—the world’s first all-machine cyber hacking tournament—and confirmed that the top-scoring machine was Mayhem, developed by team ForAllSecure of Pittsburgh.

Second place was formally awarded to Xandra, a cyber reasoning system developed by TECHx of Ithaca, N.Y., and Charlottesville, Va.

Following an extended verification process by the Cyber Grand Challenge Competition Framework Team and the DARPA Verification Team, third place was awarded on Sunday, August 7, to Mechanical Phish, developed by Shellphish of Santa Barbara, Calif. For details of the verification process, visit (Q6/A6): https://github.com/CyberGrandChallenge/Event-FAQ/blob/master/event_faq.md.

At a ceremony held in the ballroom of the Paris Las Vegas Conference Center, DARPA Director Arati Prabhakar and CGC program manager Mike Walker congratulated the winners and thanked all of the seven competing finalist teams for helping DARPA achieve its goal of accelerating the development of advanced, autonomous systems that can detect, evaluate, and patch software vulnerabilities before adversaries have a chance to exploit them.

“DARPA was created nearly 60 years ago to prevent technological surprise, and I can think of no better way of doing that in today’s networked world than by developing automated, scalable systems able to find and fix software vulnerabilities at machine speed,” Prabhakar said. “Our goal in cyber is to break past the reactive patch cycle we’re living in today, and unleash the positive power and creative potential of the information revolution.”

All teams received trophies for their efforts and the top three teams were awarded $2 million, $1 million, and $750,000, respectively. The other four contestants were:

  • Rubeus, a system developed by Deep Red of Arlington, Va.
  • Galactica, a system developed by CodeJitsu of Berkeley, Ca., Syracuse, N.Y., and Lausanne, Switzerland
  • Jima, a system developed by CSDS of Moscow, Id.
  • Crspy, a system developed by disekt of Athens, Ga.

Preliminary results of the CGC were announced last night at the end of more than eight hours of competition, held in the Paris Las Vegas Conference Center in conjunction with DEF CON, America’s biggest hacking conference and home to many of the world’s top cyber defense experts. Those results were considered provisional pending a planned, all-night validation exercise. The DARPA Verification Team was engaged through Sunday, August 7, 2016, to officially establish the third-place finisher, Mechanical Phish.

At the awards ceremony this morning, organizers of DEF CON Capture the Flag—an exclusive, skills-testing game played by the world’s best vulnerability researchers—invited the winning CGC system to compete against those flesh-and-blood professionals in this year’s game, which will run for approximately 48 hours starting today. Mayhem’s team accepted the historic challenge.

“One of the proudest moments of my career, years ago, was the chance to be part of a team that earned entry to DEF CON Capture the Flag. Today, full automation will enter the most competitive hacking contest on Earth as a machine enters this competition for the first time,” Walker said. “I don’t expect Mayhem to finish well. This competition is played by masters and this is their home turf. Any finish for the machine save last place would be shocking.

“I will be watching the first few minutes, when automation can have an advantage, and I will be watching for the lessons learned,” Walker continued. “This first step is about lighting a spark, igniting an automation revolution, and watching the technology that will follow Mayhem in the years to come. Automation may someday overcome the structural advantages of network offense and give the defense a chance at a fair fight. It can’t happen fast enough.”

Why CGC?

The need for automated, scalable, machine-speed vulnerability detection and patching is large and growing fast as more and more systems—from household appliances to major military platforms—get connected to and become dependent upon the internet. Today, the process of finding and countering bugs, hacks, and other cyber infection vectors is still effectively artisanal. Professional bug hunters, security coders, and other security pros work tremendous hours, searching millions of lines of code to find and fix vulnerabilities that could be taken advantage of by users with ulterior motives.

The Heartbleed security bug existed in many of the world’s computer systems for nearly two and a half years, for example, before it was discovered and a fix circulated in spring 2014. By that time, the bug had rendered an estimated half million of the internet’s secure servers vulnerable to theft and other mischief. Analysts have estimated that, on average, such flaws go unremediated for 10 months before being discovered and patched, giving nefarious actors ample opportunity to wreak havoc in affected systems before they move on to exploit new terrain.

Yesterday’s event was the first head-to-head competition between some of the most sophisticated automated bug-hunting systems ever developed. For more than eight hours, these machines played the classic cybersecurity exercise of Capture the Flag in a specially created computer testbed laden with an array of bugs hidden inside custom, never-before-analyzed software. The machines were challenged to find and patch within seconds—not the usual months—flawed code that was vulnerable to being hacked, and find their opponents’ weaknesses before the defending systems did. Highlights from game play can be viewed at: https://youtu.be/v5ghK6yUJv4.

To fuel follow-on research and parallel competition, all of the code produced by the automated systems during the CGC Final Event has been released to allow others to reverse engineer it and learn from it.

“I am amazed at the speed with which the machines responded to the use of bugs in software they had never seen before and fielded patches in response. All of this data will now be openly shared to help ensure the promise of this automation is achieved,” Walker said. “I am humbled by the talent that came together to produce and compete in this event. This is human ingenuity and good will at its best.”

For more about the Cyber Grand Challenge, including tournament details and information and videos about the competing teams, please visit www.cybergrandchallenge.com and check out DARPA’s YouTube channel.