AUTHOR: CADE METZ.CADE
METZ BUSINESS
DATE OF PUBLICATION: 07.05.16.07.05.16
TIME OF PUBLICATION: 7:00 AM.7:00 AM
wired.com
DARPA
GOES FULL TRON WITH ITS GRAND BATTLE OF
THE HACK BOTS
ON A GIANT flat-screen TV in an old Emeryville,
California warehouse, a floating orb fires red, blue, pink, and yellow beams
into a honeycomb of hexagonal blocks. The blocks are black, white, and gray,
but as the beams hit them, they change—flashing, fading, absorbing color. And
when they do, scores tally just above.
On the same screen, from adjacent windows, three
commentators provide additional color, as if this was a videogame championship.
“You can see who’s being owned, and who’s doing the owning,” says one, a theoretical
physicist named Hakeem Oluseyi.
But this isn’t a videogame. The other two commentators are
veteran white-hat hackers, experts at reverse-engineering software in search of
security holes. The slick-bald guy (with the ponytail in back) is Visi, and the
thin one with the hipster beard is HJ, short for Hawaii John. No other names
given. They’re hackers.
All this is dress rehearsal for a
$55 million hacking contest put on by Darpa, the visionary research wing of the
US Defense Department. The contest is called the Cyber Grand Challenge, and it’s set for early August.
Seven teams will compete inside seven supercomputers erected in a ballroom at
the Paris hotel in Las Vegas, each unleashing artificially intelligent software
that will defend one machine—and virtually attack the rest.
No one has ever really deployed a
bot like that—software that can, completely on its own, find and repair
security holes in real time. If these bots reach maturity, it would be a
fundamental shift in computer security. But none of that is visual. So, to
prove it can work, Darpa is going all Tron, visually
recreating what goes on inside those seven machines. It’s not enough to have
bots play Capture the Flag. You need to see it. “What’s happening inside the
central processing unit? What’s happening inside the memory?” says Mike Walker,
the veteran white-hat hacker turned Darpa program manager who oversees the
Grand Challenge. “That’s what we’re trying to do here.”
Click to Open Overlay GalleryDarpa’s Cyber Grand Challenge
visualization in “arena view,” showing what the hack bots are doing inside
seven supercomputers. DARPA
Inside the Grid
On the TV, Oluseyi, Visi, and HJ are
describing that Tron-like visualization, a software
universe Darpa built in tandem with voidAlpha, a
videogame company. VoidAlpha works out of this reclaimed warehouse, and Walker
is here too. He and his Darpa team arrived in Emeryville last week so they
could hone the visualization and try it out.
This isn’t the first time the
security community has tried to build useful visualizations of what goes on
inside a computer network. In fact, there’s a whole sub-community devoted to network visuals. But for Visi
and HJ, Darpa has captured the art of reverse engineering in an unprecedented
way. “This has never been available, even to reverse engineers using the most
cutting edge tools,” Visi says.
For decades, human hackers,
including Visi and HJ, have played Capture the Flag,
the oldest, biggest, and most famous hacking contest. But the Cyber Grand
Challenge is for bots, and Darpa wants to bring these bots into the wider
world. Having this kind of visualization helps people understand how that might
work—and it can help them build better bots. “A Grand Challenge is about
starting technology revolutions,” Walker says. “That’s partially through the
development of new technology, but it’s also about bringing a community to bear
on the problem.”
Plus, it looks cool. For people who
watched Jeff Bridges ride a light cycle around a computer-generated vision of a
circuit board (twice!), or watched
Angelina Jolie, in Hackers, mess around inside a supercomputer called Gibson (we
see what you did there, and no doubt @GreatDismal did,
too), the idea of getting to see what’s actually happening in the soul of a
machine is more than tantalizing.
The Physical and the Virtual
The competition’s wardrobe-sized supercomputers are already
at the Paris, sitting quietly in storage. They arrived at the end of June. And
in the coming weeks, a team led by Darpa contractor Sean O’Brien will forklift
them into an 83,000 square-foot ballroom and onto a clear plexiglass stage.
That transparency is literal and metaphoric. The visible air
gap between the machine and everything else in the room ensures that data will
only travel to the outside world on CDs carried by a robotic arm. “No networking
cable will cross the air gap,” O’Brien says.
That way, everyone—even the most
skeptical and paranoid hacker among the crowd at Def Con—will know the competition is on the up-and-up.
Even the contestants, the seven teams that spent the last two years designing
the bots, will sit outside the air gap.
As these contestants watch, the bots will go to work inside
the machines, analyzing and defending software they’ve never seen before.
They’ll look for security vulnerabilities in their own machine. They’ll
scramble to patch those vulns and keep their systems running. And at the same
time, they’ll strive to show Darpa’s referees they can exploit holes in the
other machines. That’s how Capture the Flag works—except for the bots.
Click to Open Overlay GalleryDarpa tests the
supercomputers—enormous racks of servers—that serve as the playing field fothe
Cyber Grand Challenge. DARPA
Closing the Window
Traditionally, finding and patching
security holes is a human talent. But machines are playing an ever expanding
role. Google, for instance, is building sweeping systems that
can identify vulns via fuzz testing, a technique that involves throwing random inputs
at a piece of software. Google’s system can simultaneously fuzz dozens of
Android phones, and it’s using deep neural networks—networks of hardware and software that can learn by analyzing vast
amounts of data—to gradually learn what sort of fuzzing is likely to
work and what’s not.
At least, that’s the idea. These kinds of systems are a long
way from handling the whole process on their own. They don’t identify and patch
holes in software while people are using it. And they’re certainly not in the
toolkit of the average online company. “This a long ways off,” says Orion
Hindawi, CEO of Tanium, a security company just down the road from today’s
dress rehearsal. “It’s an extremely expensive way to solve the problem.”
But with the Cyber Grand Challenge,
DARPA is aiming for all that. It seeks bots that can identify and patch vulns in the moment—without any human intervention. “We’re trying
to close the window to a minute,” Walker says. “Or seconds.” In the same way
self-driving cars have improved enormously since they picked their way through a Grand Challenge obstacle course in the Mojave desert,
Walker hopes the bots will get better, eventually outperforming humans. The
battle in Las Vegas might be the first time people are just an audience for AIs
fighting for hacker supremacy, but it won’t be the last.
Click to Open Overlay GalleryThe massive air conditioning
units that will cool the supercomputers inside the Paris ballroom. DARPA
Nerd Detector
To a certain subset of the
population, the idea of real-life Tron is enough of a
sell. “You could use this as a nerd detector,” Oluseyi says during practice
commentary. But Tron was a fantasy. Come on, a
security program that looks like the commander of Babylon 5? What are the
odds?
With the Cyber Grand Challenge, the
visual metaphor is more literal. One view is akin to an arena. That’s still
very Tron-like, but instead of light cycles and flying discs,
you get those honeycombs of hexagons. The hexagons represent real software
services running inside the supercomputers. And the colored beams hitting the
hexagons show data flowing into those services, including data from the bots.
The audience can see when a bot finds a hole, when it patches the hole, when a
bot accidentally breaks the service, when the service is inaccessible because a
patch is taking too long, and so on.
What’s more, Darpa’s visualization can drill down and really
look at those streams of data—about 84,000 attempts at reverse engineering over
an eight-hour contest. This is called the “trace view.” It can actually
demonstrate what each bot is doing—what code is executing when. “It literally
shows the execution flow of data being given to a program,” Visi says, “and
what the program is doing with that data.” Matt Wynn, one of the voidAlpha
designers that built the visualization, believes the company could turn this
into a bone fide debugger, something engineers could use hone and debug code in
the real world.
From afar, the trace view looks
almost like a wire fence rolled up into cylinder. But up close, you can see the
route of the moving data. A code loop—when a service executes the same routine
over and over again—looks like a loop, a developing spiral. For Visi, this is
what sets Darpa’s project apart. It can show you what’s happening inside the
machine over time. It’s not a snapshot. It’s a narrative.
Human and Machine
If you’re not a hacker, this is still hard to grasp—at least
initially. But that’s why Darpa hired commentators. It’s all about taking
what’s inside the head of someone like Visi—a seasoned reverse engineer—and
showing it to everyone. “There’s a distinct need to get that fusion of
knowledge and understanding out to a larger audience,” he says. When reverse
engineering, he mentally visualizes the hack, and Darpa wants to visualize it
for real. It wants to give everyone else that same image.
The image on screen is beautiful.
It’s intriguing. And, ultimately, it’s enlightening. But it still looks small.
And it shouldn’t. It should show the enormity of the task—the massive amounts
of code and traffic those bots will deal with. That’s why Darpa brought in
Oluseyi, the physicist. On the Internet, he’s known for a TED talk on infinity. “Program analysis,” Walker says,
“is a duel with the infinite.” And Oluseyi is here to make sure we all see it.
===========================
**Important note** - contact our company for very powerful solutions for IP
management (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
==================================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
No comments:
Post a Comment