The Internet of Things is exploding — think smartphones, self-driving vehicles, bluetooth coffeemakers — but software for these devices can be vulnerable to attack. Fixing bugs is an expensive grind, but a Carnegie Mellon University startup aims to change that with “Mayhem.”
Mayhem, an autonomous debugging computer system developed by ForAllSecure, won the Defense Advanced Research Projects Agency’s (DARPA) Cyber Grand Challenge, taking home its $2 million first-place prize. The Department of Defense’s research and development arm designed the game-based challenge to mirror software risks and inspire innovation to help create technology for securing the world’s computers.
ForAllSecure was co-founded by three CMU alumni in 2012:
- David Brumley, who earned his Ph.D. from CMU’s School of Computer Science in 2008 and is director of CMU’s CyLab Security and Privacy Institute;
- Thanassis Avgerinos, who earned his master’s degree in 2013 and Ph.D. in 2014 in electrical and computer engineering; and
- Alex Rebert, who earned his master’s degree (2015) in electrical and computer engineering.
The three co-founders and the rest of their eight-member team spent two years building Mayhem.
The challenge has several rounds of competition over the course of a year and was open to any entity, from academia to the private sector. More than 100 elite teams entered, and the top seven teams were chosen for the Aug. 4 finals. Each of the finalists received $750,000 to prepare for the final competition.
Mayhem was the best at scanning software for bugs, generating exploits and fixing vulnerabilities — all done autonomously.
Brumley points to the strong ecosystem and teamwork as the key to winning. “There’s really this incredible [software security] ecosystem here at CMU and Pittsburgh,” he said. “It’s world class.”
“This is a shining moment for a startup born at Carnegie Mellon,” echoed Jim Garrett, dean of CMU's College of Engineering. “We couldn’t be more proud of ForAllSecure for applying its vision to the development of cutting-edge technology that addresses the global issue of security.”
Thanks to the challenge, hundreds of new pieces of software are available to the public domain for researchers to hack, reverse engineer and innovate.
“DARPA was created nearly 60 years ago to prevent technological surprise, and I can think of no better way of doing that in today’s networked world than by developing automated, scalable systems able to find and fix software vulnerabilities at machine speed,” said DARPA Director Arati Prabhakar. “Our goal in cyber is to break past the reactive patch cycle we're living in today, and unleash the positive power and creative potential of the information revolution.”
As for ForAllSecure, Brumley said the prize money will help the Pittsburgh-based company bring Mayhem technology to consumers in the near future, in order to help safeguard the personal information contained in technology-driven consumer devices, such as smartphones and thermostats.
“You can rely on antivirus to catch malware, once you’ve been infected, but there’s nothing that helps you answer: Is this a safe program or not?” Brumley said. “So we want to use this CGC Challenge technology to answer that question for people. We believe our technology can make the world's computers safe and secure.”
Photo: The winning ForAllSecure team (L-R): Ryan Goulden, Thanassis Avgerinos (E 2013, 2014), Alex Rebert (E 2015), Ned Williamson, David Brumley (CS 2008; Faculty), John Davis (CS 2013), Chelsea Mastilak and Tyler Nighswander (S 2013, CS 2013). Photo credit: DARPA