DARPA’s Cyber Grand Challenge tasked teams with writing a program that can fix bugs in mere seconds.
A software program called Mayhem this week won the Cyber Grand Challenge, which bills itself as the “world’s first all-machine hacking tournament.”
Mayhem was created by For All Secure, one of seven teams made up of hackers and programmers from around the world.
To come out on top, a team’s systems had to autonomously create network defenses, deploy patches and mitigations, monitor the network, and evaluate the defenses of competitors.
The seven teams competed for nearly $4 million in prizes in Wednesday’s competition, which was sponsored by the US Defense Advanced Research Projects Agency (DARPA) and performed in front of 5,000 computer security professionals and others in Las Vegas.
The challenge started in 2013, with the team behind Mayhem and the six other finalist teams progressing through several rounds of hacking competitions.
In the final, the teams participated in a “capture the flag” cyber security exercise.
The programs had to find and patch hidden bugs in specially-developed code within seconds, rather than the hours or days it often takes human security experts to find vulnerabilities.
“I’m enormously gratified that we achieved CGC’s primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defense is indeed possible,” DARPA program manager Mike Walker said in a statement.
Mayhem’s creators will go home with $2 million in cash, and they’ll also be invited to compete in this year’s Def Con hacking challenge, marking the first time a machine will be allowed to play in that tournament.
DARPA hopes to use the code written for the Cyber Grand Challenge to combat against future large-scale security flaws like 2014’s Heartbleed bug, which rendered an estimated half million of the Internet’s secure servers vulnerable to unauthorized access and theft.
The Electronic Frontier Foundation hailed the Challenge as an innovative way to fortify computer systems against hackers, but warned that “there may be some real policy concerns down the road about systems that can automate the process of exploiting vulnerabilities.”