AI Race: Fighting Cyberattacks at the AI-Powered Hackathon
Published Date: 28/07/2024
n a two-year contest sponsored by DARPA, hackers are racing to write a program that can scan millions of lines of open-source code, identify security flaws, and fix them without human intervention.
In a quiet rental house in Orange County, California, a team of hackers from Arizona State University, the University of California-Santa Barbara, and Purdue University gathered for a hackathon to tackle one of the country's biggest security risks flaws in open-source software. Sponsored by DARPA, the Defense Advanced Research Projects Agency, the two-year contest aims to develop an end-to-end 'cyber reasoning system' that leverages large language models to find vulnerabilities, prove they are vulnerabilities, and patch them.
The team, called Shellphish, is one of about 40 contestants in the competition, known as AIxCC, for artificial intelligence cyber challenge. They are grappling with the often grim reality behind lofty AI aspirations, imposing 'sanity checks' to catch hallucinations, verifying that patches actually solve the issues they are supposed to, and having two AI systems debate each other over the best fixes — with a third AI deciding the winner.
The risks of open-source software have been underscored recently by two very different incidents. In 2017, a vulnerability in a small program for keeping track of system activity, known as Log4j, was exploited, exposing the personal information of half of all Americans. And in March, a Microsoft engineer discovered a back door for spying inserted by the maintainer of a popular open-source tool.
To address these risks, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has responded with small grants to start-ups, and has been pushing companies to declare what's inside their software. But those are slow-moving initiatives. The Shellphish team and others like them are racing to develop AI-enhanced programs that can digest and improve millions of lines of real code.
Under the terms of the DARPA contest, all finalists must release their programs as open source, so that software vendors and consumers will be able to run them. If successful, the AI-powered hackathon could give humans more time to try to address the country's biggest security risks.
FAQS:
Q: What is the goal of the AIxCC contest?
A: The goal is to develop an end-to-end 'cyber reasoning system' that leverages large language models to find vulnerabilities, prove they are vulnerabilities, and patch them.
Q: What is the risk of open-source software?
A: The risk is that poorly maintained free code can be exploited to seize control of a machine.
Q: What is the Log4j vulnerability?
A: Log4j is a small program for keeping track of system activity that was found to have a massive design flaw that would allow system takeovers.
Q: What is CISA's response to the risks of open-source software?
A: CISA has responded with small grants to start-ups, and has been pushing companies to declare what's inside their software.
Q: What is the outcome of the DARPA contest?
A: All finalists must release their programs as open source, so that software vendors and consumers will be able to run them.