The Department of Defense (DoD) maintains information systems that depend on Commercial off-the-shelf (COTS) software, Government off-the-shelf (GOTS) software, and Free and opensource (FOSS) software. Securing this diverse technology base requires highly skilled hackers who reason about the functionality of software and identify novel vulnerabilities. This process requires hundreds or thousands of hours of manual effort per discovered vulnerability and does not scale sufficiently to secure the continuously growing technology base.
Hackers use program analysis techniques and tools to identify and mitigate vulnerabilities, but this process requires considerable expertise, manual effort, and time. These techniques include dynamic analysis, static analysis, symbolic execution, constraint solving, data flow tracking, and fuzz testing. Due to the rapidity of cyber-attacks, and the sheer volume of attacks that could potentially occur, there is a need for autonomy that can react in milliseconds to protect critical systems and mission components. As these speeds are far faster than human operators can perform, system autonomy will form a critical aspect of cyber defense.
Automated program analysis capabilities can reason over only a few vulnerability classes without human involvement, such as memory corruption or integer overflow, but cannot address the majority of vulnerabilities. These unaddressed vulnerability types depend on subtle semantic and contextual information, which is beyond the grasp of modern automation. Scaling up existing approaches to address the size and complexity of modern software packages is not possible given the limited number of expert hackers in the world, much less the Department of Defense (DoD).
“One of the things driving them to apply AI and ML to security operations is there are not many security experts in the world for hiring. AI doubles the effectiveness of human security experts. It is amazing. Humans with the help of AI are able to detect all kinds of attacks that human alone could not detect,” said Witten. Witten believes that AI should handle tons of data, letting humans focus on strategy.
In a recent blog post, McAfee’s chief technology officer Steve Grobman, said that in the field of cyber security, as long as there is a shortage of human talent, the industry must rely on technologies such as artificial intelligence and ML to amplify the capabilities of the humans.
However, he added as long as there are human adversaries behind cybercrime and cyber warfare, there will always be a critical need for human intellect teamed with technology.
DARPA launched the program called Computers and Humans Exploring Software Security, or CHESS on April 3.
The CHESS program will develop capabilities to discover and address vulnerabilities of all types in a scalable, timely, and consistent manner. DARPA believes that achieving the necessary scale and timelines in vulnerability discovery will require innovative combinations of automated program analysis techniques with support for advanced computer-human collaboration (CHC). Due to the cost/scarcity of expert hackers, such capabilities must be able to collaborate with humans of varying skill levels, even those with no previous hacking experience or relevant domain knowledge.
The goal of the CHESS program is to research the effectiveness of enabling computers and humans to collaboratively reason over software artifacts (source code, compiled binaries, etc.) for the purpose of finding 0-day vulnerabilities at a scale and speed appropriate for the complex software ecosystem upon which the U.S. Government, military, and economy depend.
The idea for the program occurred to its director, Dustin Fraze, while watching a cybersecurity contest at the DEF CON hacking conference, Brian Pierce, director of DARPA’s Information Innovation Office told Nextgov.
The team, dubbed Shellphish, from the University of California, Santa Barbara, had built an autonomous cybersecurity system to compete in DARPA’s Cyber Grand Challenge. Under the rules for that contest, teams’ autonomous systems compete against each other to repel cyberattacks without any human intervention once the starting bell rings.
DEF CON’s Capture the Flag contest, on the other hand, traditionally pits human cyberattackers and defenders against each other without any autonomous systems in the mix. But, because there’s no rule explicitly barring those systems, Shellphish added its “autonomous cyber-creature” Mechanical Phish to the team roster. “It was intriguing to look at the partitioning of work between what the human hackers can do and what the computers can do,” Pierce said.
“It was intriguing to look at the partitioning of work between what the human hackers can do and what the computers can do,” Pierce said.
The program reflects one of three main cyber areas DARPA is focusing on, Pierce said. Broadly, the agency’s goals are to: Make systems more secure and resilient against cyber threats; improve situational awareness in cyberspace, including better attributing cyberattacks; and improving the military’s ability to strike back in cyberspace in a precise, tactical manner that reduces the chance for collateral damage or unintended consequences.
CHESS contributes to that first goal, Pierce said. Other DARPA programs focus on making it cheaper and easier to build software using “formal methods,” a process that applies mathematical proofs to computer code to ensure the code can’t do anything it’s not intended to.
A main program aimed at the second priority is called Enhanced Attribution. The goal, Pierce said, is to combine and analyze public data about internet activity that, in aggregate, makes it easier to attribute cyberattacks to particular attackers.
The CHESS program will research the effectiveness of enabling computers and humans to collaboratively reason over software artifacts (source code, compiled binaries, etc.) with the goal of finding 0-day vulnerabilities at a scale and speed appropriate for the complex software
ecosystem upon which the U.S. Government, military, and economy depend.
Achieving these goals will require research breakthroughs in:
o Developing instrumentation to capture and analyze the process by which hackers reason over software artifacts to provide a basis for developing new forms of highly effective communication and information sharing between computers and humans;
o Creating techniques for addressing classes of vulnerability that are currently hampered by information gaps and require human insight and/or contextually sensitive reasoning;
o Generating representations of the information gaps for human collaborators of varying skill levels to reason over;
o Integrating human-generated insights into the vulnerability discovery process;
o Emitting a Proof of Vulnerability (PoV) to confirm existence of the 0-day vulnerability, and generating a non-disruptive, specific patch to neutralize the 0-day vulnerability; and
o Synthesizing vulnerable Challenge Set (CS) corpora representative of large, real world, complex software packages.
References and Resources also include: