Innovators under 35

I am truly honored to share that I have been named to MIT Technology Review’s prestigious annual list of Innovators Under 35 as a Pioneer. The award, first given by the magazine in 1999, celebrates young innovators who are poised to be leaders in their fields. Many amazing people have been given this award: Larry Page and Sergey Brin of Google; Mark Zuckerberg of Facebook; Max Levchin of PayPal. I am humbled to be in such great company.

Gideon Lichfield, editor-in-chief of MIT Technology Review, said: “MIT Technology Review inherently focuses on technology first – the breakthroughs and their potential to disrupt our lives. Our annual Innovators Under 35 list is a chance for us to honor the outstanding people behind those technologies. We hope these profiles offer a glimpse into what the face of technology looks like today as well as in the future.”

The award is a recognition of my work on Mayhem – the autonomous cyber reasoning system that competed in and won the DARPA Cyber Grand Challenge. While this award is inherently individual, I would like to recognize the amazing people that poured years of their lives into taking Mayhem from a research idea to the winning system, especially David Brumley, Thanassis Avgerinos, Sang Kil Cha, John Davis, Tyler Nighswander, Ryan Goulden and Ned Williamson. Every single one of them deserves this award as much as I do.

Mayhem: from research project to winning the DARPA Cyber Grand Challenge

Mayhem was originally started by David Brumley, Thanassis Avgerinos, Sang Kil Cha and myself at Carnegie Mellon University. We made advances in the area of formal verification of software programs that allowed our analyses to scale to larger software. Our work won an ACM Distinguished Paper award after finding thousands of bugs in linux software.

Over the past few years, I led the development of the Mayhem Cyber Reasoning System, which culminated in 2016 in two historic events: the DARPA Cyber Grand Challenge, the first all-machine hacking competition, which pitted 7 fully autonomous systems against each other, and DEFCON, which challenged 14 of the best hacking teams against a completely autonomous system.

Mayhem won first place and $2 million in the Cyber Grand Challenge. Mayhem then went on to compete against elite hackers at DEFCON, where it held its ground showing that 1st generation systems are already competitive with the world’s best hackers.

What machines (currently) lack in creativity, they make up for in speed, tenacity & scale. Mayhem analyzes thousands of programs in parallel in a few hours, a task that would take a human many years of tedious work. Mayhem can find thousands of bugs and previously unknown vulnerabilities in a day running on the cloud. In the time it takes an expert to open up a file, an automated system may have looked at hundreds.

Beyond the Cyber Grand Challenge: defending real-world systems

We’re on the cusp of the age of automated computer security reasoning, and we have to adapt the way we think about security accordingly. In a world where cyberattacks are becoming commonplace and are increasingly leveraged by nation states to disrupt weapon development, power grids, and elections, computer security becomes a national security issue. With the shortage of computer security experts and the increasing volume of software in our daily lives, relying solely on human expertise is insufficient and dangerous. Automated computer security tools are a necessity to protect ourselves.

To meet this need, we founded ForAllSecure with the vision to automatically check the world’s software for security vulnerabilities. We are actively working on adapting our cyber-reasoning technology to secure critical systems and infrastructure both in the public and private sector. If you would like to hear more about how Mayhem can be applied to your software, please go to

Applying Cyber Grand Challenge Technology to Real Software

I first heard about Mayhem when I read that researchers at my university, Carnegie Mellon, had reported 1200 crashes in Debianjust by running their binary analysis system on Debian programs for 15 minutes at a time. When I learned that the technology developed by those researchers was spun out as a startup, ForAllSecure, I knew I had to get involved.

Continue reading “Applying Cyber Grand Challenge Technology to Real Software”

Why ForAllSecure is on MIT Technology Review’s 2017 List of Smartest Companies

I am honored to share that ForAllSecure has been named to MIT Technology Review’s 2017 list of 50 Smartest Companies.   According to the MIT Tech Review team, to make the list, a company must exhibit technological leadership and business acumen, which set them apart from competitors. 

Nanette Byrnes, senior editor for MIT Tech Review business shared:

“Public and private, large and small, based in countries around the globe, this group of companies is creating new opportunities and pouncing on them. These are the ones that competitors must follow.”
Continue reading “Why ForAllSecure is on MIT Technology Review’s 2017 List of Smartest Companies”

Case Study: LEGIT_00004

LEGIT_00004 was a challenge from Defcon CTF that implemented a file system in memory. The intended bug was a tricky memory leak that the challenge author didn’t expect Mayhem to get. However, Mayhem found an unintended null-byte overwrite bug that it leveraged to gain arbitrary code execution. We heard that other teams noticed this bug, but thought it would too hard to deal with. Mayhem 1 – Humans 0. In the rest of this article,  we will explain what the bug was, and how Mayhem used it to create a full-fledged exploit.

Continue reading “Case Study: LEGIT_00004”

Mayhem Wins DARPA CGC

Mayhem CRS.jpg

Mayhem is a fully autonomous system for finding and fixing computer security vulnerabilities.On Thursday, August 4, 2016, Mayhem competed in the historical DARPA Cyber Grand Challenge against other computers in a fully automatic hacking contest…and won.  The team walked away with $2 million dollars, which ForAllSecure will use to continue its mission to automatically check the world’s software for exploitable bugs.

Continue reading “Mayhem Wins DARPA CGC”

Why CGC Matters to Me

By David Brumley

In 2008 I started as a new assistant professor at CMU. I sat down, thought hard about what I had learned from graduate school, and tried to figure out what to do next. My advisor in graduate school was Dawn Song, one of the top scholars in computer security. She would go on to win a MacArthur “Genius” Award in 2010. She’s a hard act to follow. I was constantly reminded of this because, by some weird twist of fate, I was given her office when she moved from CMU to Berkeley.

The research vision I came up with is the same I have today:

Automatically check the world’s software for exploitable bugs.

To me, the two most important words are “automatically” and “exploitable”. “Automatically” because we produce software far faster than humans could check it manually (and manual analysis is unfortunately far too common in practice). “Exploitable” because I didn’t want to find just any bugs, but those that could be used by attackers to break into systems.

Continue reading “Why CGC Matters to Me”

Live Streaming Security Games

Aside from our cool research, ForAllSecure also works on creating fun and engaging games to promote computer security. Just about every employee in our company has been involved in Capture the Flag exercises for the past several years, and we have been hosting these online events for our customers for about 3 years now. One of our big dreams is to see these types of contests gain in popularity, similar to how e-sports grew. Continue reading “Live Streaming Security Games”

The Motivation and Design Behind Autogenerated Challenges

In nearly all CTF competitions organizers spend dozens of hours creating challenges that are compiled once with no thought for variation or alternate deployments. For example, a challenge may hard-code in a flag, making it hard to change later, or hard-code in a system-specific resource.

At ForAllSecure, we are working to build automatically generated challenges from templates. For example, when creating a buffer overflow, you should be able to generate 10 different instances to practice on. And these instances should be able to be deployed anywhere, on a dime. While you can’t automate away the placement of subtle bugs and clever tricks, we can definitely add meaningful sources of variance to challenges without much additional effort, with the added bonus that challenges are easier to deploy.

Continue reading “The Motivation and Design Behind Autogenerated Challenges”

New Year, New Website, and New Blog!

Although we have been very busy at ForAllSecure, we finally got the time to redo our website, huzzah! This website is a bit more pleasing on the eyes, and we hope to add more up-to-date information about our projects and what we’re up to.

Part of this refresh is also a new blog. We plan to talk about interesting things we are working on, so check back frequently! To kick things off, here is a post about some of our work on DARPA’s Cyber Grand Challenge.

Unleashing the Mayhem CRS

In June, ForAllSecure participated in DARPA’s Cyber Grand Challenge (CGC) Qualification Event (CQE) 1. During the event our automated system tweeted its progress, and to continue the trend of openness, we decided to publish a writeup of some more details about our system. Our team, Thanassis Avgerinos, David Brumley, John Davis, Ryan Goulden, Tyler Nighswander, and Alex Rebert spent many thousands of hours on our system, and now that the CQE is over, we’re excited to give you a glimpse of its inner workings.

Continue reading “Unleashing the Mayhem CRS”