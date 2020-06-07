Late last year, David Haynes, a security engineer at Internet infrastructure company Cloudflare, found himself staring at a strange image. "It was pure gibberish," he says. "Lots of gray and black pixels, made by a machine." He declined to share the image, saying it would be a security risk.

Haynes's caution was understandable. The image was created by a tool called Mayhem that investigates software to find unknown security flaws, created by a startup created at Carnegie Mellon University called ForAllSecure. Haynes had been testing it on Cloudflare software that resizes images to speed up websites and provided him with several sample photos. Mayhem transformed them into cursed and cursed images that blocked photo processing software by triggering an inadvertent error, a weakness that could have caused headaches for customers paying Cloudflare to run their websites smoothly.

Cloudflare has made Mayhem a standard part of its security tools. The US Air Force, Navy, and Army. USA They have also used it. Last month, the Pentagon awarded ForAllSecure a $ 45 million contract to expand Mayhem's use in the US military. USA The department has many errors to find. A 2018 government report found that nearly all of the weapons systems the Department of Defense tested between 2012 and 2017 had serious software vulnerabilities.

Mayhem is not sophisticated enough to completely replace the work of human bug finders, who use software design knowledge, code reading skills, creativity, and intuition to find fault. But ForAllSecure co-founder and CEO David Brumley says the tool can help human experts do more. The world's software has more security holes than experts have time to find, and more flaws are sent every minute. "Security is not about being safe or insecure; it's about how fast you can move," says Brumley.

Mayhem originated from an unusual hacking contest in 2016 at a Las Vegas casino ballroom. Hundreds of people showed up to watch the Cyber ​​Grand Challenge, organized by the Pentagon's DARPA investigative agency. But there was no human on stage, just seven strikingly lit computer servers. Each one hosted a bot that tried to find and exploit bugs on the other servers, while also finding and patching its own flaws. After eight hours, Mayhem, made up of a team from Brumley's Carnegie Mellon Security Lab, won the $ 2 million jackpot. His magenta-lit server landed on the Smithsonian.

Brumley, who is still a Carnegie Mellon professor, says the experience convinced him that setting up his lab could be useful in the real world. He put aside the offensive capabilities of his team's robot, reasoned that defense was more important, and set about marketing it. "The Cyber ​​Grand Challenge demonstrated that fully autonomous security is possible," he says. "Computers can do a reasonably good job."

United States contract

The governments of China and Israel also thought so. Both offered contracts, but ForAllSecure signed up with Uncle Sam. He was awarded a contract with the Defense Innovation Unit, a group in the Pentagon trying to accelerate new technology in the US military. USA

ForAllSecure was challenged to test Mayhem's mettle by looking for flaws in the control software for a commercial airliner with a military variant used by US forces. Within minutes, the automated hacker found a vulnerability that was later verified and corrected by the aircraft manufacturer.

Other bugs Mayhem found include one discovered earlier this year in OpenWRT software used on millions of network devices. Last fall, two company interns got a payout from Netflix's bug bounty program after they used Mayhem to find a flaw in the software that allows people to send videos from their phone to a TV.

Brumley says the interest from automotive and aerospace companies is particularly strong. Cars and planes are increasingly reliant on software, which needs to run reliably for years and rarely, if ever, updates.

Mayhem only works on programs for Linux-based operating systems and encounters errors in two ways, one sparse, the other more specific.

The first is a technique called fuzzing, which involves bombarding target software with randomly generated inputs, such as commands or photos, and observing to see if any triggers freeze. The second, called symbolic execution, involves creating a simplified mathematical representation of the target software. That double fool can be analyzed to identify possible weak points in the real target.

Fuzzing has become more used in computer security in recent years. Last year, Google released a fuzzy tool that says it has found more than 16,000 bugs in its Chrome browser. But Cloudflare's Haynes says the technique is not yet commonly used in the industry because fuzzy tools generally require too careful adaptation for each target program. ForAllSecure has created Mayhem to be more adaptable, he says, allowing Cloudflare to use fuzzing more routinely. Symbolic execution can find more complex errors and has previously been used primarily in research labs, Haynes says.

Humans are still needed

Ruoyu Wang, a professor at Arizona State University, hopes Mayhem is just the beginning of a more automated future for computer security, but says he will require bug-searching bots to collaborate more with humans.

Mayhem shows that automation can do useful work, says Wang, but existing automatic bug finders can't be of much help with complex internet services or software packages. The best software is not smart enough to understand the intent and function of programs as people do. Mayhem's ability to try many different things faster than any human is not a substitute. "Many of the difficult problems in automatic vulnerability scanning are far from resolved," says Wang.

Wang was part of a team called Mechanical Phish that ranked third in the DARPA 2016 tournament that kicked off Mayhem. He is now working on a new agency research program called CHESS, trying to make more powerful bug-finding software that takes advantage of humans to get help with things that machines can't assimilate. "Right now, cutting-edge automation doesn't know when it's hitting a barrier," says Wang. "You should realize that and consult a human." Today Mayhem is looking for mistakes for himself, but his descendants may be team players.

This article first appeared on wired.com.