Even with tools such as static analysis software available to help developers catch bugs, finding and fixing software errors remains a challenge for human engineers. However, what if software could identify security risks on its own and fix itself? That’s the question the Defense Advanced Research Projects Agency is hoping some innovative team will solve as part of the office’s recently announced Cyber Grand Challenge, which is offering a cash prize of $2 million to the team that builds the best automated system “to evaluate software, test for vulnerabilities, generate security patches and apply them to protected computers on a network.”
The ideal solution will expertly combine the capabilities of security software and cutting-edge program analysis techniques to make a tool that can identify threats and automatically correct vulnerabilities, the agency noted. In the official solicitation notice, the agency noted that research that is primarily an evolutionary improvement to existing practices is “specifically excluded.” According to Dan Kaufman, director of DARPA’s Information Innovation Office, the growth trends in cyberattacks and malicious behavior suggest that IT security analysts will need the help of more automated solutions in the future.
“Today, our time to patch a newly discovered security flaw is measured in days,” DARPA program manager Mike Walker explained. “Through automatic recognition and remediation of software flaws, the term for a new cyber attack may change from zero-day to zero-second.”
About the competition
The Cyber Grand Challenge, which is being billed as the “first-ever tournament for fully automatic network defense systems,” will involve a real-time tournament throwing a series of challenges against competitor teams. A final event slated for early to mid-2016 of top competitors from qualifying events will score teams on how well their systems protect hosts, locate vulnerabilities across the network and maintain correct software function. In addition to a top prize of $2 million, the runner-up will receive $1 million and third place will earn $750,000.
Previous DARPA Grand Challenge events attempted to tackle the idea of self-driving cars. In a 2004 event, 25 teams raced autonomous cars on a 7-mile course for a $1 million prize, but none finished, Forbes noted. In 2005, a team from Stanford won the challenge, with its self-driving Volkswagen handling a 132-mile course in seven hours.
Given the challenge of protecting software from hackers eager to exploit zero-day vulnerabilities, the results of the CGC will likely be closely watched by those in the software security community. If a team is able to develop an effective solution, it could revolutionize the way companies fight against external threats.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.