DARPA Launches 2-Year Contest to Build AI Tools to Fix Vulnerabilities

A challenge will be offered to teams to build tools using AI in order to solve open source's vulnerability challenges.

Perri Adams from DARPA on stage at Black Hat USA 2023
Source: Dan Raywood via Dark Reading

BLACK HAT USA – Las Vegas – Wednesday, Aug. 9 — The Defense Advanced Research Projects Agency (DARPA) will sponsor a two-year competition to create a new generation of cybersecurity tools to better secure software. DARPA is a research and development agency of the US Department of Defense (DoD), responsible for the development of emerging technologies for use by the military.

Named the AI Cyber Challenge (AIxCC), the intention is to create AI-driven systems to help address cybersecurity issues and ensure more secure software. On the keynote stage at the Black Hat conference, AIxCC program manager Perri Adams announced the opening of the challenge. She said that as software enables modern life and drives productivity, it also creates an expanding attack service for malicious actors.

"Recent technological advances do offer promising new ways of ensuring that we can keep defense one step ahead," she said. "The gains of AI, when used responsibly, have remarkable potential to secure our code."

However, Adams said that the promise of what AI could do isn't enough, and a "forcing function" is needed to bring together top figures in AI and cybersecurity to show how AI can be used for good.

Solving Software Security With AI in 2 Years?

The contest, which Adams said will conclude in 2025 at DEF CON, challenges competitors to design AI systems to rapidly find and fix vulnerabilities in critical code.

"This is an opportunity to use the technology to make a real difference to build something that can achieve dramatic structural change," she said. "We hope with this new DARPA challenge, we will spur such incredible innovation."

AIxCC will offer two tracks for participation: the Funded Track and the Open Track. Funded Track competitors will be selected from proposals submitted to a Small Business Innovation Research solicitation.

In the competition, prizes include $20 million to the teams with the best systems, while up to $1 million will be offered to seven small businesses too. Those teams with the best options will be assessed next spring, with semifinalists announced next summer at DEF CON 2024 and winners announced the following year at DEF CON 2025.

"The top five semifinalists will win $2 million each and have the opportunity to spend a year advancing their technology," Adams said. The semifinalists will have a year to build a system that can rapidly defend critical infrastructure from attack.

The AIxCC is backed by Google, Anthropic, Microsoft, and OpenAI, while the Open Source Security Foundation will serve as a challenge advisor.

"We have a competition that shapes innovation around real world problems. We want to create systems that automatically defend any kind of software from attack, from use in commercial industry to life-saving medical devices," Adams said.

Where AI Fits the Bill

Michael Sellitto, interim head of policy and societal impact at Anthropic, says technology moves quickly, and software developers are already using AI to write significant portions of code.

"It can help interpret or suggest alternatives to code that they're working with, and so we're not that far away from the technology being, you know, good at finding and fixing vulnerabilities and sort of a focused effort," he says. "This challenge can accelerate those efforts pretty quickly, as two years ago, nobody was using AI to write code at all, and today, it's become sort of the daily workflow for significant portion of coders."

Adams says the goal is to develop very usable systems that can have a dramatic impact on securing software, and the desire is to have that success serve as an example of how AI can be used to solve a key challenge in society. "Our goal is to develop cutting edge technology that can secure software at scale; tools that can ingest software and say 'Hey, I found all of these bugs and here are fixes' that would remove the vulnerable code and replace it with secure code," she said.

Read more about:

Black Hat News

About the Author

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights