Carnegie Mellon University

Defcon on the stage

August 09, 2016

CyLab wins big during DefCon weekend

Carnegie Mellon University’s CyLab Security and Privacy Institute is celebrating winning big in Vegas, as home of the champions of two major hacking competitions this past weekend. 

 Computers vs. Computers: Cyber Grand Challenge

ForAllSecure, a Carnegie Mellon spinoff startup, took home the $2 million prize as the winners of the DARPA Cyber Grand Challenge (CGC), a first-of-its-kind hacking contest in which all participants are autonomous computer systems. ForAllSecure was one of seven finalist teams in the contest, which took place on Thursday, August 4th, in Las Vegas, Nevada.

Our vision is to check the world’s software for exploitable bugs so they can be fixed before attackers use them to hack computers,” says David Brumley, who wears several hats as CEO ofForAllSecure, director of CyLab, and professor of Electrical and Computer Engineering. “We believe our technology can make the world’s computers safe and secure.”

ForAllSecure’s system, dubbed “MAYHEM” by the team, scans software for bugs, generates exploits, and fixes vulnerabilities. The system performs every task completely autonomously.

“This is a shining moment for a startup born at Carnegie Mellon,” says Jim Garrett, Dean of CMU’s College of Engineering. “We couldn’t be more proud of ForAllSecure for applying its vision to the development of cutting-edge technology that addresses the global issue of security.”

DARPA launched the CGC in response to the recent increase in software bugs, due in large part to the explosion of the Internet of Things—billions of connected devices like smart thermostats or fitness trackers that are built with little regard to cybersecurity. The challenge aimed to identify state-of-the-art technology to find these bugs quickly, and at scale.

Humans vs. Humans and Computers: DefCon Capture the Flag

Not to be outdone, Carnegie Mellon’s competitive computer security team, The Plaid Parliament of Pwning (PPP), won its third title in four years at the DefCon Capture the Flag competition. 

The DefCon Capture the Flag competition, widely considered the “World Series of Hacking,” took place August 7 – 9, also in Las Vegas.

Brumley is the faculty advisor to PPP. “Our team has put in thousands of hours of practice, and it is rewarding to see them win amongst the best hackers in the world,” said Brumley. “Every year this competition becomes harder and harder to win.”

Capture the Flag (CTF) is one of the most popular competitive hacking games in the world, with hundreds of smaller CTFs being held annually. During these competitions, teams try to break into competitors’ servers while protecting their own. After achieving a successful breach, teams catch virtual “flags” and earn points.

While thousands of CTF teams exist worldwide, only 15 teams representing at least 10 countries qualified for this year’s DefCon CTF.

“The consistency of our team’s performance over the last four years demonstrates CMU’s strength in cybersecurity education and research,” says Dean Garrett. “These students will clearly help drive the next level of cybersecurity.”

Carnegie Mellon’s win comes at a time that the computer security field is struggling to find suitable hires to join the workforce. These contests give people a place to practice and hone their computer security skills.  

“These contests are critically important to developing a skilled cybersecurity workforce,” says Brumley.

 ForAllSecure was co-founded in 2012 by Brumley and two Carnegie Mellon graduate students, Thanassis Avgerinos and Alex Rebert. The startup currently has nine employees and is based in Pittsburgh, Pennsylvania. The Carnegie Mellon hacking team formed in 2009 and began competing in DEFCON’s Capture the Flag competition in 2010. Prior to this year, the team held two DefCon Capture the Flag titles from 2013 and 2014.