Good morning and welcome to the DARPA Cyber Grand Challenge Award Ceremony.
Please welcome the Director of the Information Innovation Office at the Defense Advanced Research Projects Agency, Dr. John Lonsbury.
Good morning.
You know, DARPA is a national treasure and a magical place.
It's filled with people who have a vision of what might just be possible and the technical chops to make it so.
They come from industry and academia, and these people choose to commit three to five years of their careers, bringing new possibilities into being.
And the nation entrusts them with the resources to make it possible.
Mike Walker is such a person.
Cyber Grand Challenge was his vision of the possible, and yesterday, we all witnessed something new being formed in the world.
This morning, we get to celebrate that accomplishment.
Let us welcome him to the stage, Mike Walker.
Hello, everybody.
In 2013, we challenged the world to create automated systems that could compete in a hacking contest, and no such machines existed at the time.
In 2014, competition teams from around the world attempted to draw an existing program analysis technology and native code expertise to construct prototypes that could get us halfway there.
At our 2015 qualifiers, seven of these teams proved to the world that automated flaw identification and patching was possible in years.
The results were in unison on previously unseen code.
After we named our finalists in July of 2015, the race was on to take those core skills and adapt them to building a fully automated system that could think about new security problems and manage them under pressure in the heat of competition.
Yesterday, those systems competed against each other, and let's watch a little bit of what happened together.
The first ever fully automated cybersecurity automated competition.
Ready.
Game started at 0900 and 45 seconds Pacific.
Welcome, everyone, to the first ever fully automated cybersecurity automated competition.
Sandra managed to discover and prove a vulnerability in one of the services that we call OpsSim.
But this is a unique situation, and it's something we were kind of hoping to see.
They actually managed to discover an unintended flaw.
A vulnerability.
So each of these services that's written, just like real world software, it's impossible for us to have made absolutely certain that the one vulnerability that we intended is the only one that's present.
So the interesting part here is that Sandra had discovered this new POV, exercised it against something that we hadn't actually even intended, and then GEMA observed this occurring and successfully defended against it.
So these are all results that, like, we hadn't possibly had any ability to predict whatsoever.
Wow.
So Sandra POV succeeded against the reference binary, but not against GEMA's patched binary.
So GEMA was actually successfully able to patch a bug that we didn't even know existed in the software.
But what kind of general purpose or even specific patches does GEMA implement that could do this?
So that was probably one of our general purpose patches.
We looked at areas of code where we know there are common vulnerabilities, and we just deliberately inserted conservatively the patches for those areas.
The address resolution service was basically the vulnerability that was modeled after this year.
So it was a little bit of a sequel slammer like we were talking about.
And we definitely saw some of the bots discover this vulnerability and actually begin trying to prove that vulnerability against other teams or other bots very, very early on.
So this represents a true success to what we have going on here because in that five-minute window that Deb mentioned that she was hoping for, that actually managed to be proven and patched by several of the teams in the very next round.
So that means that in a five-minute window, a totally previously never-seen-before challenge binary was researched and evaluated.
And found vulnerable and patched by a completely autonomous system.
Our implementation of the mail server challenge basically wanted to strike a balance between the difficulty and the complexity of the original bug in SendMail and Halvar's example that was sort of a carved-down subset of the problem.
Either way, they are all sort of the classic state machine problems that are very, very difficult for program analysis.
Those nearly infinite possibilities and that halting problem that we talked about before clearly come into play here.
So MechaFish was the only team to actually successfully POV against our version of Crack Adder.
So this basically represents a leap forward in program analysis.
For them to be capable of doing this means that we're one step closer to that thing that's basically been sort of the Everest of program analysis because of that state machine problem.
Congratulations. What do you think about this?
It's pretty overwhelming. Wow.
I mean, all the talk about state machines and all the possibilities.
State machines really reminds me of one of the papers that we published recently.
We published the paper Driller, which is supposed to augment fuzzing with symbolic execution.
And one of our really in-depth case studies talks about how exactly it traverses the state machines and is able to really explore deeply parts of the program that would normally be inaccessible to a more naive approach.
Thank you.
Today, we saw machines patch many of the vulnerabilities that were activated in their software.
Within minutes, without damaging software or availability.
Challenges work not because of the many who cannot imagine, but because of the few willing to make the attempt.
Thank you all for your courage.
I'd like to close, but this room, the loudest round of applause we can summon for those who dared.
So, uh, I just want to say thank you.
I have a note on that first highlight.
I just, I want to make sure everyone understands what happened.
Uh, we created a bunch of native code that had never been seen before.
Uh, one of the machines found a bug in it that we didn't know about.
It was completely unintentional.
Discovered it, discovered how to use that flaw to take a flag from another machine and the other machine detected it and built a patch.
A conversation between machines that happened in minutes.
Um, who would have thought?
Um.
Um, but what we just saw yesterday was a first step.
I want to think back for a moment to 2005.
Uh, this is Stanley.
Stanley is a self-driving car that won the 2005 DARPA Grand Challenge.
And Stanley is a future technology prototype, a proof of concept.
A research and engineering milestone.
It is not a particularly good self-driving car by today's standards.
It was filled with computing.
Its sensors and communications gear were bolted on and bulky.
It couldn't drive on our streets and it couldn't handle traffic.
And it couldn't do a lot of things.
All the same, Stanley earned its place in the Smithsonian by redefining what was possible.
And today the technology descended from Stanley and its competition are driving in America's streets all on their own.
That long awaited revolution is arriving on our streets and highways right now.
So these CGC prototypes are just like Stanley.
They work only on very simple research operating system.
They work on 32-bit native code.
They spend a huge amount of computing power to think about the security problems of small example services.
The complex bugs they found are impressive.
But they are not as complex as their real world analogs.
And a huge amount of engineering remains to be done before something like this can guard the networks that we use.
I invite you this weekend to imagine the technology that will follow these first prototypes.
And what that technology will mean.
Imagine networks where zero day cannot happen to anybody.
Where zero day does not guarantee attacker success.
Where defenders work together with guardian machines to keep networks safe.
Imagine getting a text message from the system that protects your business letting you know it just learned about a new flaw in your document reader.
And synthesized a new patch all on its own.
It's coming and we have these three days to imagine it together.
Now that cyber grand challenge is over and since this is a security crowd.
I want to talk a little bit about some other things at DARPA.
Many of you may be familiar with the idea of formal verification.
A field in which the security properties of native code are accompanied by a mathematical proof that guarantees those properties.
Less of you may know that a few years ago DARPA funded technology that is now open source.
A formally verified control system for a commercial quadcopter.
And you can buy this commercial quadcopter.
Download the code from the website on the screen.
Install it.
Fly it around your neighborhood right now.
The research community behind this code believes that formal verification provides powerful promises about the absence of entire classes of flaws.
And we'd love to hear from you about how strong this security really is.
We also hope in the future to conquer new frontiers with formal verification.
Many of you are also familiar with technology developed under cyber fast track.
A previous DARPA program.
Portions of Nmap for instance.
All of that technology development happened because Mudge became the first person from this community.
From this hacker community to come to DARPA to be a program manager.
I went to a lot of Mudge's cyber fast track talks.
I was inspired by the common ground that he forged between DARPA and the hacker community.
And I'm proud today to be following the tradition he started.
And I hope that like me, some of you out there are watching what was accomplished in this challenge.
And are wondering if you could build your vision of future technology at DARPA.
Creating something like cyber fast track or cyber grand challenge from scratch.
Building the technology team behind it and guiding its execution.
These are difficult and rewarding things.
Mudge started a tradition of hacker program management at DARPA.
And it is my sincere hope that as my term limit ends and I leave the agency.
That some of you will step up to continue this tradition.
Until it's easy to write defensible code.
And networks are secure by default.
There must always be hackers working at DARPA to create revolutionary technology.
So if you have technology vision, the ability to lead teams and an aptitude for public service.
Please email us or seek us out this weekend.
It is now my pleasure to introduce the director of DARPA, Arthi Prabhakar.
Thank you Mike.
Good morning everyone.
It's wonderful to be here with this DEF CON community.
I want to take just a minute and talk about why we are here.
Why is DARPA here doing this cyber grand challenge?
And the first big reason that we are here is our job at DARPA is to change what's possible.
That's why every one of us comes to work every single morning.
Our job is to change what's possible.
So that we can revolutionize our national security capabilities.
And our little agency was created in the immediate aftermath of Sputnik.
So we've been at this for about almost 60 years now.
And what that means is that our predecessors got to work with some of the most amazing people and teams of their times.
And the work that they did together led to navigation that you can hold in the palm of your hand.
It led to stealth aircraft.
It led to composite materials.
It led to wave after wave of artificial intelligence.
And of course the work that they did together built the ARPANET.
And it led to the internet.
So absolutely.
So I'm all for them.
That was awesome what that generation did.
For every one of us who works at DARPA today.
And the community that we get to work with.
We recognize that that's a proud history.
But now it's our time.
Now it's our turn to step to the plate.
And now it's our turn to change what's possible.
And that is exactly what Cyber Grand Challenge is doing right now.
So you've heard about Mike's amazing work.
And he's talked a little bit about the big ambitions in the Cyber Grand Challenge.
Cyber Grand Challenge is actually only one of about 200 activities.
And it's an active program at DARPA today.
And every one of those programs has a big ambition.
They range from a ship that will be able to navigate itself across the seas without a single sailor on board.
To a space plane that can put a satellite on orbit tomorrow instead of next year.
To a network of sensors across an entire city that can detect radiological and nuclear materials
before a terrorist can detonate a bomb.
And among the things that we're doing today, I want to mention two where you can get engaged immediately.
One, you can get engaged at noon today right here at DEF CON.
Because if you go to the biohacking village, you'll hear about some of our big ambitions in biological technologies.
The work that we're doing to change how we understand the human brain and start developing neurotechnologies.
The work that we're doing to build on the explosion in gene editing capabilities.
And the work in synthetic biology.
So please join us there.
You'll hear from a couple of DARPA program managers there.
A second thing that's a big ambition at DARPA today.
A new program that's just ramping up.
Will be DARPA's next massive grand challenge.
And that is the Spectrum Collaboration Challenge.
And I invite you to dive in on this one too.
The challenge in that case is we're going to challenge teams to build radio networks with embedded AIs.
That will allow each of those radio networks.
To dynamically scan and form hypotheses and predict what's happening in the radio spectrum.
So that they can both compete with each other.
But also collaborate to dramatically advance the amount of capacity that we can get from a fixed amount of spectrum.
That one's just getting rolling so dive back in.
So as you can see a very wide range of big ambitions at DARPA today.
Every single one of those big ambitions depends on cyber security.
We can't achieve these big ambitions.
These big dreams.
Unless we can trust our data.
Trust our networks.
Trust the systems that we are so completely reliant on today.
And because of that a revolution in cyber security is also a big ambition at DARPA today.
Cyber grand challenge is a big part of that.
Mike mentioned some of the other things that we're doing.
There's a large portfolio of active programs in that area.
Results that are starting to come out of it.
We invite you to engage with us.
And help build that portfolio.
But also draw on the fruits of that research.
Because as we start developing those technologies.
And as we start implementing them.
Ultimately we hope across the entire information ecosystem.
As we do that we can start imagining a future where we actually have some foundation of cyber security.
Not invulnerability.
But we can live in a future where we can get on with the business of enjoying the fruits of this phenomenal information revolution.
That we're all living in today.
So those are some of the big ambitions that we have at DARPA today.
And changing what's possible is a very big reason that we are here today at DEF CON doing cyber grand challenge.
A question I've gotten from lots of people is why are you doing this in Las Vegas?
And why are you doing it with DEF CON?
The answer to that is we could not have done it without a tremendous partnership with DEF CON.
And I want to just call out DEF CON's leadership.
This whole community.
We chose to do this because number one.
How awesome was it that we were able with your permission to build on top of this amazing capture the flag game.
A perfect game to start with to develop a league of their own for machines to start learning how to do this amazingly hard work.
That's been wonderful for us.
Most important from my perspective.
Very much as Mike said.
This community.
Your community.
You all.
This is such an important part of how we're going to change the future of cyber security.
I think we're starting to build some very important ties.
I hope cyber grand challenge advanced that in some very significant ways.
So thank you DEF CON.
This has been just tremendous.
The final and most fundamental reason we are here today is because of Mike Walker.
Now Mike is something amazing.
And that amazing thing that he is is a DARPA program manager.
That's a person who has a vision.
Who builds a team to do this incredible amount of hard work.
Who inspires a vast community to drive these technologies forward.
And ultimately it's someone who gets to spark a technological revolution.
So Mike.
Thank you for showing the world.
What a DARPA program manager.
Is all about.
It is now my privilege.
To recognize.
The teams who built the bots.
Who changed what's possible here at the cyber grand challenge.
We are going to start with finalist.
Dissect.
Who built the bot.
Crispy.
Come on up.
Yes sir.
Slapstickers win.
Even up.
Ah Pakistan.
Iraq.
Vietnam.
China.
One.
Two.
Five.
Three.
Plus.
Two.
Yeah.
That's extraordinary.
Thanks.
Please join me in celebrating finalists, CSDS, who built the bot, GEMA.
Announcing finalists.
Announcing finalists.
Announcing finalists.
Announcing finalists.
Deep Red, who built the bot, Rubius.
Deep Red, who built the bot, Rubius.
Announcing finalists.
You never know what's going to happen at a challenge.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
It's my great pleasure to introduce finalist, Shellfish, who built the mechanical fish. Zandra.
And now the winner of the DARPA Cyber Grand Challenge
for All Secure and Their Bot Mayhem.
All Secure and Their Bot
So we're going to close by inviting the captain of the highly legitimate business syndicate
that runs DEF CON Capture the Flag up onto stage.
There he is.
Welcome.
Now it's my understanding that you've been waiting a year now to make this challenge,
so the mic is yours.
I just have one question.
One question for Mayhem.
Shall we play a game?
It's on.
The Mayhem Cyber Reasoning System will play on DEF CON Capture the Flag,
hopefully starting around 1130.
We're not quite sure when it's going to start, but I hope to see you there.
Thank you very much for coming.
Congratulations to everyone who played our game.
Congratulations to our finalists.
Congratulations to our winners.
Thank you.
Thank you.