Watching the conclusion of the DARPA Cyber Grand Challenge at Def Con in 2016 felt like getting a glimpse into the future. At the time, and in subsequent media interviews (New Scientist, Cipher Brief) I noted that I had been caught by surprise and went into the event expecting incremental innovation and left thinking I’d just witnessed a great leap forward in the cyber domain.
Recognizing the potential for machine intelligence and AI augmentation of human cyberdefenders, DARPA has announced a natural successor to the Cyber Grand Challenge with their CHESS program. As noted on the DARPA website:
“To address the challenges facing our abilities to scale and accelerate vulnerability detection, DARPA’s Information Innovation Office (I2O) today announced the Computers and Humans Exploring Software Security (CHESS) program. CHESS aims to develop capabilities to discover and address zero-day vulnerabilities at a speed and scale appropriate for the continuously growing, complex software ecosystem by enabling humans and computers to collaboratively reason over software artifacts. Moving from a manual, human-driven process to one that is based on advanced computer-human collaboration creates opportunities for a broader range of technical–or potentially non-technical–experts to assist in the detection and remediation of known and emerging threats…
The CHESS program will research the effectiveness of enabling computers and humans to collaboratively reason over software artifacts, such as source code and compiled binaries, with the goal of finding 0-day vulnerabilities at a scale and speed appropriate for the complex software ecosystem upon which the U.S. Government, military, and economy depend. Achieving these goals will require research breakthroughs in:
- Creating techniques for addressing classes of vulnerability that are currently hampered by information gaps and require human insight and/or contextually sensitive reasoning;
- Generating representations of the information gaps for human collaborators of varying skill levels to reason over;
- Integrating human-generated insights into the vulnerability discovery process;
- Emitting a Proof of Vulnerability to confirm existence of the 0-day vulnerability, and generating a non-disruptive, specific patch to neutralize the 0-day vulnerability;
- Synthesizing vulnerable Challenge Set corpora representative of large, real world, complex software packages.
”
Over the 42 months of the program I expect we’ll another revolution in the cyber domain. It will be worth tracking closely.
For more information visit the DARPA CHESS program page