1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Mayhem is a machine that can automatically detect, exploit, and patch cybersecurity vulnerabilities

By Polycount · 6 replies
Jan 30, 2019
Post New Reply
  1. Most large companies recognize the value these hackers offer to the tech industry, and have set up lucrative "bug bounty" programs to reward them for their efforts depending on the severity of any disclosed bugs.

    Traditionally, the process of bug-hunting is something that is mostly handled by human beings. After all, nothing can beat a real person's attention to detail - right? Not quite, according to a new report from IEEE Spectrum.

    Written by security researcher David Brumley, the report describes the rise of what might be one of the worlds' most impressive automated white-hat hacking machines. Called Mayhem, the machine is a water-cooled computing behemoth that can detect, exploit, and fix software weaknesses automatically, and at speeds that no human being can match.

    So, how does Mayhem work? The gist is that it combines two long-standing approaches to software analysis to perform its duties, known as "fuzzing" and "symbolic execution."

    In the words of Brumley himself:

    Symbolic execution builds an equation to represent all the logic in a program—for example, “x + 5 = 7”—and then solve the equation. Contrast this strategy with another method of software analysis known as fuzzing, in which you feed random permutations of data into a program to crash it, after which you can determine the vulnerabilities that were at fault and how they might be exploited in a more deliberate attack. Fuzzing keeps putting in random data until a particular string of data makes the equation true, finally determining that x =2.

    Put into even simpler terms, fuzzing involves "making intelligent guesses at lightning speed," and symbolic execution is like "asking a mathematician to try to formally figure out what inputs may exploit [a] program."

    During internal tests, Mayhem managed to find a whopping 14,000 unique vulnerabilities when set loose on every program in popular Linux distribution Debian; 250 of which were completely new.

    Mayhem's team of creators, which is comprised of Brumley and several researchers from Carnegie Mellon University, decided to enter the device into a hacking contest led by DARPA back in 2015. Throughout the competition, contestants' machines earned points based on how many vulnerabilities they managed to find, exploit, and patch.

    The contest was split into two phases: a qualifying round, and a finalist event known as the Cyber Grand Challenge (CGC).

    ForAllSecure's (the name of Brumley's team) Mayhem managed to score twice as many points as the next best-ranked semifinalist in the qualifying round, and at the CGC itself, the machine once again prevailed against its six competitors - but it wasn't the victory itself that was impressive.

    Rather, it was how Mayhem won that astonished spectators. A mere 40 rounds into the CGC, Mayhem crashed, devastating the ForAllSecure team. However, at the end of the contest, it was revealed that their sadness was for nought - Mayhem still managed to win, despite not being functional for the remaining 55 rounds of the CGC.

    Though we'll never know how far Mayhem could have gone if it hadn't crashed, it is probably safe to say the machine would have far surpassed the scores of its competitors.

    According to Brumley, the machine's capabilities are currently being sold to "early adopters" such as the US government, as well as various tech and aerospace companies.

    However, given the risks associated with giving Mayhem free reign over such important industries, the machine is still working alongside human security experts - for now. In the future, Brumley believes machines alone will handle the world's cybersecurity.

    Image courtesy DARPA, Sean McCabe, & Chelsea Mastilak via IEEE Spectrum

    Permalink to story.

  2. kira setsu

    kira setsu TS Enthusiast Posts: 98   +71

    Oh boy, I'll be able to witness skynet after all, I wonder how long we have until it figures out humans are a vulnerability.

    on a serious note I hope this means program developers will soon have a way to send their creations through a system that'll secure things for them before they release it.
  3. ZipperBoi

    ZipperBoi TS Member Posts: 18   +22

    Wonder how great the possibility is that this thing detects false positives and ends up breaking a piece of software or network infrastructure its trying to fix/ protect? Nothing is perfect, bout to be some hiccups.
    Clamyboy74 and xxLCxx like this.
  4. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,754   +1,148

    Wow, this is an astonishingly accomplishment, I hope we hear more news from it.

    It doesn't matter, if this is not trying to help it, there will probably be another one exploiting without letting anyone know.
  5. Uncle Al

    Uncle Al TS Evangelist Posts: 5,132   +3,553

    So, if this thing is so good why don't they miniaturize it and sell it to the general public. That way we could get rid of all the Norton's and similar "virus protection" software we are spending so much money on!
  6. ItZmE Again

    ItZmE Again TS Rookie

    So what happens when the robots/computers realize that to prolong their lives they need to eliminate oxidation..The major players for corrosion and oxidation are oxygen and atmospheric moisture. ooops.
  7. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,754   +1,148

    If it finds the solution for terraforming planets that could be pretty neat, however if it can't it's more feasible to move to a planet without oxygen or atmospheric moisture that could sustain a "lifeless" way of life.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...