The Story of Mayhem: The Next-Generation in Application Security
In 2011, ForAllSecure co-founders, Thanassis Avgerinos and Alex Rebert, then students at Carnegie Mellon University led by Professor David Brumley, were pondering what to name their new technology. As the result of years of research on fuzzing combined with symbolic execution they were at a point where they had a bleeding-edge technology the world had never seen before but they were unsure of what to call their findings.
“We wanted a name for a system that ‘breaks’ programs,” recalled co-founder and Vice President of Engineering, Thanassis Avgerinos.
Thanassis and Alex wanted a name that would accurately describe the controlled chaos that is fuzz testing and stood out from other security solutions. They took inspiration from Chaos Engineering, first popularized by Netflix in 2011. Chaos Engineering is the discipline of experimenting on a system in order to build confidence in the system's capability to withstand turbulent conditions in production. Similar to the theory of Chaos Engineering, fuzzing involves inputting massive amounts of random data to the test subject in an attempt to make it crash. The inspiration from Netflix and Chaos Engineering lead Alex and Thanassis to call their new technology “Mayhem”.
“We create controlled mayhem for you to make your software resilient in the face of chaos,” said Alex Rebert, co-founder and Head of Innovation at ForAllSecure.
The team discovered that what makes Mayhem different from other application security solutions is that it combined efforts of fuzz testing with the ingenuity of symbolic execution. The latter gave Mayhem the ability to acquire intelligence of its targets over time; deepening its analysis and maximizing its code coverage. Thanassis, Alex, and David quickly capitalized on their new technology by acquiring patents for their work.
Want to Learn More About Fuzz Testing?
Tune in to FuzzCon TV to get the latest fuzzing takes directly from industry experts.
Mayhem Goes to Battle
An early prototype of Mayhem was first put to the test in 2016 when it qualified as a finalist for the DARPA Cyber Grand Challenge in Las Vegas in 2016. Hosted on a brightly-lit, air-gapped stage in the Paris Hotel ballroom, Mayhem, along with the six other finalists, competed in a controlled environment called DECREE. Built by DARPA, DECREE (DARPA Experimental Cybersecurity Research Evaluation Environment) is an open-source operating system extension built exclusively for computer security research and experimentation. In this environment Mayhem was able to perform and execute tasks autonomously and without human intervention including automatically patching vulnerabilities -- something that has yet to be done in the real world today. It's important to point out the evolution of Mayhem from DARPA CGC-winning prototype to the advanced fuzz-testing technology it is today. By competing in the DARPA CGC, the ForAllSecure researchers were able to iterate on Mayhem and bring lessons learned from the DARPA CGC into real-world situations.
“DARPA CGC gave the world, for the first time, an objective competition to measure how well different approaches to [security] work on a level playing field. We can test, we can compare against others, and if we miss something — some important detail others figured out — we'll know,” recalled ForAllSecure CEO, David Brumley.
DARPA CGC set the stage for Mayhem and autonomous security. Since then, Mayhem -- now called Mayhem for Code -- continues to revolutionize the application security world, while it may not be automatically patching vulnerabilities, we have added many new features to Mayhem for Code that solves real-world problems. Most recently, Mayhem for Code can automatically ingest and scan Docker images.
The Mayhem Portfolio
A decade and many accolades later, ForAllSecure’s Mayhem has matured into a portfolio of complementary products.
Mayhem for Code, our legacy advanced fuzz testing solution, secures applications at machine speed, scale, and accuracy. With negligible operational changes, it fits seamlessly into development workflows and environments to deliver accurate results. Mayhem for Code helps organizations dramatically reduce manual testing efforts with autonomous defect detection and validation.
Mayhem for API, a reliability and performance API fuzzer, addresses the lack of fuzz testing for APIs today and was built with developers in mind. Mayhem for API integrates natively with source code management systems, like GitHub, to allow teams to automatically test APIs with each pull request so developers can get performance and reliability results in their PR comments. Security engineers get those results as well without having to run scans themselves so they can provide timely advice regarding security vulnerabilities.
Interested in Mayhem for Code and/or Mayhem for API? Visit ForAllSecure for more information.