Carnegie Mellon University
July 29, 2016

CMU Professor To Compete in Computer Vs. Computer Hacking

Brumley's spinoff ForAllSecure Is One of Seven Teams in the DARPA Cyber Grand Challenge

Daniel Tkacik / 412-268-1187 /

Cyber grand challenge

Carnegie Mellon University's David Brumley is heading to a national stage to compete against the country's best bug finders.

Brumley, co-founder of the CMU spinoff ForAllSecure, will compete for the grand prize at the Defense Advanced Research Projects Agency (DARPA) Cyber Grand Challenge, a first-of-its-kind hacking contest between computers, on Aug. 4 in Las Vegas. The winner among the seven teams will take home $2 million. Brumley has a vision for ForAllSecure's automated bug-finding system that reaches far beyond the contest.

"What we hope to be able to do is make it so everyone can check the security of their software," said Brumley, CEO of ForAllSecure, director of Carnegie Mellon CyLab, and professor of electrical and computer engineering (ECE). "Right now, only the developer of that device or that program can check, but we want to free that ability for everyone."

"We have a shared vision, and that vision is to make the world's software safer by building better tools," said ECE alumnus Thanassis Avgerinos of ForAllSecure, which he co-founded with Brumley and fellow ECE graduate student Alex Rebert. "We want to do this by developing a system that automatically finds security bugs before the bad guys do, and fixes them."

Automated bug-finding is a relatively new area emerging in a field struggling to meet employment demands. Brumley said that automated bug-finding systems would not replace people; humans will always hold the necessary expertise and creativity in an ever-evolving cyber world, while automation will provide much needed speed and scale. He said more experts are needed, as the technology will only be as strong as the talent leading its development.

When it comes to defenders and attackers of software, there is a significant imbalance of power: defenders have to make sure every piece is secure, while attackers only need to find a single vulnerability to take control.

"Our best data tell us that that hole will work for about a year before it's discovered by defenders," DARPA Program Manager Mike Walker, the lead organizer of the Cyber Grand Challenge, said in a recent 60 Minutes interview. "You want computers to be able to defend themselves, and it's going to change the balance of power between attackers and defenders."

ForAllSecure's automatic bug-finding system consists of multiple components working in tandem. For example, while one component looks for bugs, another component takes those bugs and converts them into exploits, and yet another fixes the software.

"Everything is working somewhat independently, almost like different people with different jobs," said Tyler Nighswander, a School of Computer Science and Mellon College of Science alumnus and engineer for ForAllSecure.