Darpa Goes Full Tron With Its Grand Battle of the Hack Bots
On a giant flat-screen TV in an old Emeryville, California warehouse, a floating orb fires red, blue, pink, and yellow beams into a honeycomb of hexagonal blocks. The blocks are black, white, and gray, but as the beams hit them, they change—flashing, fading, absorbing color. And when they do, scores tally just above.
On the same screen, from adjacent windows, three commentators provide additional color, as if this was a videogame championship. “You can see who’s being owned, and who’s doing the owning,” says one, a theoretical physicist named Hakeem Oluseyi.
But this isn’t a videogame. The other two commentators are veteran white-hat hackers, experts at reverse-engineering software in search of security holes. The slick-bald guy (with the ponytail in back) is Visi, and the thin one with the hipster beard is HJ, short for Hawaii John. No other names given. They’re hackers.
All this is dress rehearsal for a $55 million hacking contest put on by Darpa, the visionary research wing of the US Defense Department. The contest is called the Cyber Grand Challenge, and it’s set for early August. Seven teams will compete inside seven supercomputers erected in a ballroom at the Paris hotel in Las Vegas, each unleashing artificially intelligent software that will defend one machine—and virtually attack the rest.
No one has ever really deployed a bot like that—software that can, completely on its own, find and repair security holes in real time. If these bots reach maturity, it would be a fundamental shift in computer security. But none of that is visual. So, to prove it can work, Darpa is going all Tron, visually recreating what goes on inside those seven machines. It’s not enough to have bots play Capture the Flag. You need to see it. “What’s happening inside the central processing unit? What’s happening inside the memory?” says Mike Walker, the veteran white-hat hacker turned Darpa program manager who oversees the Grand Challenge. “That’s what we’re trying to do here.”
Inside the Grid
On the TV, Oluseyi, Visi, and HJ are describing that Tron-like visualization, a software universe Darpa built in tandem with voidAlpha, a videogame company. VoidAlpha works out of this reclaimed warehouse, and Walker is here too. He and his Darpa team arrived in Emeryville last week so they could hone the visualization and try it out.
This isn’t the first time the security community has tried to build useful visualizations of what goes on inside a computer network. In fact, there’s a whole sub-community devoted to network visuals. But for Visi and HJ, Darpa has captured the art of reverse engineering in an unprecedented way. “This has never been available, even to reverse engineers using the most cutting edge tools,” Visi says.
For decades, human hackers, including Visi and HJ, have played Capture the Flag, the oldest, biggest, and most famous hacking contest. But the Cyber Grand Challenge is for bots, and Darpa wants to bring these bots into the wider world. Having this kind of visualization helps people understand how that might work—and it can help them build better bots. “A Grand Challenge is about starting technology revolutions,” Walker says. “That’s partially through the development of new technology, but it’s also about bringing a community to bear on the problem.”
Plus, it looks cool. For people who watched Jeff Bridges ride a light cycle around a computer-generated vision of a circuit board (twice!), or watched Angelina Jolie, in Hackers, mess around inside a supercomputer called Gibson (we see what you did there, and no doubt @GreatDismal did, too), the idea of getting to see what’s actually happening in the soul of a machine is more than tantalizing.
The Physical and the Virtual
The competition’s wardrobe-sized supercomputers are already at the Paris, sitting quietly in storage. They arrived at the end of June. And in the coming weeks, a team led by Darpa contractor Sean O’Brien will forklift them into an 83,000 square-foot ballroom and onto a clear plexiglass stage.
That transparency is literal and metaphoric. The visible air gap between the machine and everything else in the room ensures that data will only travel to the outside world on CDs carried by a robotic arm. “No networking cable will cross the air gap,” O’Brien says.
That way, everyone—even the most skeptical and paranoid hacker among the crowd at Def Con—will know the competition is on the up-and-up. Even the contestants, the seven teams that spent the last two years designing the bots, will sit outside the air gap.
As these contestants watch, the bots will go to work inside the machines, analyzing and defending software they’ve never seen before. They’ll look for security vulnerabilities in their own machine. They’ll scramble to patch those vulns and keep their systems running. And at the same time, they’ll strive to show Darpa’s referees they can exploit holes in the other machines. That’s how Capture the Flag works—except for the bots.
Closing the Window
Traditionally, finding and patching security holes is a human talent. But machines are playing an ever expanding role. Google, for instance, is building sweeping systems that can identify vulns via fuzz testing, a technique that involves throwing random inputs at a piece of software. Google’s system can simultaneously fuzz dozens of Android phones, and it’s using deep neural networks—networks of hardware and software that can learn by analyzing vast amounts of data—to gradually learn what sort of fuzzing is likely to work and what’s not.
At least, that’s the idea. These kinds of systems are a long way from handling the whole process on their own. They don’t identify and patch holes in software while people are using it. And they’re certainly not in the toolkit of the average online company. “This a long ways off,” says Orion Hindawi, CEO of Tanium, a security company just down the road from today’s dress rehearsal. “It’s an extremely expensive way to solve the problem.”
But with the Cyber Grand Challenge, DARPA is aiming for all that. It seeks bots that can identify and patch vulns in the moment—without any human intervention. “We’re trying to close the window to a minute,” Walker says. “Or seconds.” In the same way self-driving cars have improved enormously since they picked their way through a Grand Challenge obstacle course in the Mojave desert, Walker hopes the bots will get better, eventually outperforming humans. The battle in Las Vegas might be the first time people are just an audience for AIs fighting for hacker supremacy, but it won’t be the last.
To a certain subset of the population, the idea of real-life Tron is enough of a sell. “You could use this as a nerd detector,” Oluseyi says during practice commentary. But Tron was a fantasy. Come on, a security program that looks like the commander of Babylon 5? What are the odds?
With the Cyber Grand Challenge, the visual metaphor is more literal. One view is akin to an arena. That’s still very Tron-like, but instead of light cycles and flying discs, you get those honeycombs of hexagons. The hexagons represent real software services running inside the supercomputers. And the colored beams hitting the hexagons show data flowing into those services, including data from the bots. The audience can see when a bot finds a hole, when it patches the hole, when a bot accidentally breaks the service, when the service is inaccessible because a patch is taking too long, and so on.
What’s more, Darpa’s visualization can drill down and really look at those streams of data—about 84,000 attempts at reverse engineering over an eight-hour contest. This is called the “trace view.” It can actually demonstrate what each bot is doing—what code is executing when. “It literally shows the execution flow of data being given to a program,” Visi says, “and what the program is doing with that data.” Matt Wynn, one of the voidAlpha designers that built the visualization, believes the company could turn this into a bone fide debugger, something engineers could use hone and debug code in the real world.
From afar, the trace view looks almost like a wire fence rolled up into cylinder. But up close, you can see the route of the moving data. A code loop—when a service executes the same routine over and over again—looks like a loop, a developing spiral. For Visi, this is what sets Darpa’s project apart. It can show you what’s happening inside the machine over time. It’s not a snapshot. It’s a narrative.
Human and Machine
If you’re not a hacker, this is still hard to grasp—at least initially. But that’s why Darpa hired commentators. It’s all about taking what’s inside the head of someone like Visi—a seasoned reverse engineer—and showing it to everyone. “There’s a distinct need to get that fusion of knowledge and understanding out to a larger audience,” he says. When reverse engineering, he mentally visualizes the hack, and Darpa wants to visualize it for real. It wants to give everyone else that same image.
The image on screen is beautiful. It’s intriguing. And, ultimately, it’s enlightening. But it still looks small. And it shouldn’t. It should show the enormity of the task—the massive amounts of code and traffic those bots will deal with. That’s why Darpa brought in Oluseyi, the physicist. On the Internet, he’s known for a TED talk on infinity. “Program analysis,” Walker says, “is a duel with the infinite.” And Oluseyi is here to make sure we all see it.
Link to article: