Why ForAllSecure is on MIT Technology Review’s 2017 List of Smartest Companies

I am honored to share that ForAllSecure has been named to MIT Technology Review’s 2017 list of 50 Smartest Companies.   According to the MIT Tech Review team, to make the list, a company must exhibit technological leadership and business acumen, which set them apart from competitors. 

Nanette Byrnes, senior editor for MIT Tech Review business shared:

“Public and private, large and small, based in countries around the globe, this group of companies is creating new opportunities and pouncing on them. These are the ones that competitors must follow.”

The Case for Autonomous Cybersecurity and The Story of ForAllSecure

In the rest of this post, I will discuss the problems ForAllSecure seeks to solve with its autonomous cybersecurity technology, a short history of its technology development and overview of its go-to-market strategy.

Software is increasingly permeating nearly every aspect of our lives.  While many of these software-driven technology advances, from medical devices to autonomous vehicles, hold amazing promise to make our lives better, the prevalence of software has also left us more exposed to attack than ever.

The application attack surface is growing by 111 billion new lines of software code every year, with newly reported zero-day exploits rising from one-per-week in 2015 to one-per-day by 2021, according to the Application Security Report from Cybersecurity Ventures.

It’s alarmingly clear that human security analysts simply cannot keep up with the pace of code being written.

With this backdrop, the ForAllSecure team embarked on a mission to build technology that would make software safe, automatically.  While at Carnegie Mellon University, our founders, Prof David Brumley and graduate students Thanassis Avgerinos and Alex Rebert, made key advances in the area of formal verification of software programs.  In 2012, they decided to spin-out this technology into a startup, ForAllSecure, dedicated to the mission of making the world’s software safe.

To ensure that all the software that surrounds us, on our devices, systems and in critical infrastructure is safe, it must be done automatically.

This is what the DARPA Cyber Grand Challenge (CGC), the world’s first machine-only hacking competition, sought to demonstrate to the world in 2016.  As the US Dept of Defense’s agency responsible for the development of emerging technologies for national defense, DARPA spent nearly $60M on the two-year CGC program, with over 100 global teams participating in building autonomous systems that could attack and defend without human intervention.  

In August 2016, after logging thousands of engineering hours building the ForAllSecure bot, Mayhem, we competed as one of the final seven teams in an exciting showdown, and came out on top.  

Read more about the DARPA CGC.

Why Now?

This is the point in the story that brought me to the company.

An engineer by training, I’ve spent my career identifying and catching the waves of enterprise technology disruptions, including the emergence of multi-core processors at Intel, virtualization at VMware and hyperconvergence at Nutanix.  I’ve scaled startups from the ground up, helping them translate their technology into products and then bringing them to market.  

In the fall of 2016, I was looking for where the next wave of innovation might happen, and zeroed in on security.  I’ve noticed over my career that innovation often arises out of dire need, and it seemed like companies and organizations were constantly falling victim to malicious hackers despite massive spending growth on a myriad of security products.  The average large enterprise has over 54 security vendors!   

With so many startups being funded to tackle this high growth market, it’s understandably a massively crowded space.  However, what struck me when I surveyed the startups exhibiting at RSA this year was that most products seemed to offer some incremental benefit of finding more attacks or slightly lower rates of false positives, but few seemed to be creating new categories of security tools.  At ForAllSecure, we believe that it’s possible to decrease the volume of attacks by focusing on the software that are the targets of malicious hackers.

According to the Dept of Homeland Security and Software Engineering Institute, the majority of security incidents arise from exploits against defects in the design or code of software.  So why aren’t more technologies being developed to fix the code before it’s shipped?

The answer is complicated, but the reality of the situation is that most tools today require developers to spend lots of cycles running tools on source code and sifting through false positives while trying to also get their code shipped on time in fast moving markets.  On the other end, professional security analysts (white hat hackers) are employed to find vulnerabilities after code has shipped before a black hat hacker does.  In this model, highly used commercial software like popular browsers or desktop applications have large teams of these white hackers dedicated to shaking out vulnerabilities, but the rate of software creeping into everything around us creates a mounting problem that requires a new human-machine model that can scale AND doesn’t require developers to slow down their rate of output.

Bringing ForAllSecure’s Mayhem to Market

Designed to analyze binaries, or programs that developers have completed and compiled, Mayhem leverages over a decade of research and a patented application of bug-finding techniques to automatically generate exploits to identify vulnerabilities.  This means Mayhem solves two fundamental issues that slow down the state of the art today: 1) No need for source code, so even 3rd party code that is open source or legacy can be analyzed, 2) zero false positives.  

We don’t purport to replace a human security analyst with Mayhem, but instead seek to empower them to be more effective.  Much in the way centaur teams in chess function, Mayhem enables human analysts to focus on the really difficult issues while Mayhem can automate analysis and even patching at line speed for common classes of vulnerabilities.  For example, in the DARPA CGC, Mayhem found the SQL Slammer vulnerability and patched it in under 6 minutes.  The real life version in 2003 wreaked nearly a billion dollars in damage as it attacked over 75K servers before humans were able to update their systems.

There’s been an overwhelming response from companies and organizations looking to use Mayhem after the DARPA CGC event.  Today, ForAllSecure’s early clients and design partners include federal organizations and Fortune 500 enterprises that are building consumer and industrial IoT (OT), aerospace and automotive products.   

As a company, we are doing our best to scale our small but mighty 10 person team to meet market demand and learning lots along the way about how best to continue developing Mayhem for expanded use cases for both development teams and software end users.  

(Note: We are hiring developers, so please email us if interested!)

Making History

In closing, I thought it would interesting to bookend the MIT 50 mention with the fact that Mayhem is currently being exhibited as part of the Smithsonian’s Defense in Innovation showcase.   We are honored to be delivering our technology to the US Government as a client as part of our mission to make the world’s software safe, one application at a time.


Case Study: LEGIT_00004

LEGIT_00004 was a challenge from Defcon CTF that implemented a file system in memory. The intended bug was a tricky memory leak that the challenge author didn’t expect Mayhem to get. However, Mayhem found an unintended null-byte overwrite bug that it leveraged to gain arbitrary code execution. We heard that other teams noticed this bug, but thought it would too hard to deal with. Mayhem 1 – Humans 0. In the rest of this article,  we will explain what the bug was, and how Mayhem used it to create a full-fledged exploit.

Continue reading “Case Study: LEGIT_00004”

Mayhem Wins DARPA CGC

Mayhem CRS.jpg

Mayhem is a fully autonomous system for finding and fixing computer security vulnerabilities.On Thursday, August 4, 2016, Mayhem competed in the historical DARPA Cyber Grand Challenge against other computers in a fully automatic hacking contest…and won.  The team walked away with $2 million dollars, which ForAllSecure will use to continue its mission to automatically check the world’s software for exploitable bugs.

Continue reading “Mayhem Wins DARPA CGC”

Why CGC Matters to Me

By David Brumley

In 2008 I started as a new assistant professor at CMU. I sat down, thought hard about what I had learned from graduate school, and tried to figure out what to do next. My advisor in graduate school was Dawn Song, one of the top scholars in computer security. She would go on to win a MacArthur “Genius” Award in 2010. She’s a hard act to follow. I was constantly reminded of this because, by some weird twist of fate, I was given her office when she moved from CMU to Berkeley.

The research vision I came up with is the same I have today:

Automatically check the world’s software for exploitable bugs.

To me, the two most important words are “automatically” and “exploitable”. “Automatically” because we produce software far faster than humans could check it manually (and manual analysis is unfortunately far too common in practice). “Exploitable” because I didn’t want to find just any bugs, but those that could be used by attackers to break into systems.

Continue reading “Why CGC Matters to Me”

Live Streaming Security Games

Aside from our cool research, ForAllSecure also works on creating fun and engaging games to promote computer security. Just about every employee in our company has been involved in Capture the Flag exercises for the past several years, and we have been hosting these online events for our customers for about 3 years now. One of our big dreams is to see these types of contests gain in popularity, similar to how e-sports grew. Continue reading “Live Streaming Security Games”

The Motivation and Design Behind Autogenerated Challenges

In nearly all CTF competitions organizers spend dozens of hours creating challenges that are compiled once with no thought for variation or alternate deployments. For example, a challenge may hard-code in a flag, making it hard to change later, or hard-code in a system-specific resource.

At ForAllSecure, we are working to build automatically generated challenges from templates. For example, when creating a buffer overflow, you should be able to generate 10 different instances to practice on. And these instances should be able to be deployed anywhere, on a dime. While you can’t automate away the placement of subtle bugs and clever tricks, we can definitely add meaningful sources of variance to challenges without much additional effort, with the added bonus that challenges are easier to deploy.

Continue reading “The Motivation and Design Behind Autogenerated Challenges”

New Year, New Website, and New Blog!

Although we have been very busy at ForAllSecure, we finally got the time to redo our website, huzzah! This website is a bit more pleasing on the eyes, and we hope to add more up-to-date information about our projects and what we’re up to.

Part of this refresh is also a new blog. We plan to talk about interesting things we are working on, so check back frequently! To kick things off, here is a post about some of our work on DARPA’s Cyber Grand Challenge.

Unleashing the Mayhem CRS

In June, ForAllSecure participated in DARPA’s Cyber Grand Challenge (CGC) Qualification Event (CQE) 1. During the event our automated system tweeted its progress, and to continue the trend of openness, we decided to publish a writeup of some more details about our system. Our team, Thanassis Avgerinos, David Brumley, John Davis, Ryan Goulden, Tyler Nighswander, and Alex Rebert spent many thousands of hours on our system, and now that the CQE is over, we’re excited to give you a glimpse of its inner workings.

Continue reading “Unleashing the Mayhem CRS”