6.4: news.cyb/sec/DARPA's automated internet disinfectant:
Mike Walker, DARPA program manager
on Reddit.com:
In April of 2014, insurers started selling insurance products
that covered physical harm generated by cyber effects
-- Google "cyber insurance" "property damage".
In May of 2014,
Sky News reported that over 42,000 London cars
-- nearly half of the cars stolen in the city of London --
were stolen with hacking.
The networked civilization we are building
is going to need to be able to make
strong promises about the safety of software,
because it won't just be guarding our data security
-- it will be guarding our physical security.
If we're going to be able to make strong promises about
software safety, we're going to need automation
that can investigate software in a
uniform, scalable and effective manner.
We know that expert auditors can't get there
-- IBM/Rational points out that our civilization crossed
1 trillion lines of code in the early 2000's.
Operating systems weigh in above 40 million lines
under constant development.
The problem is too big and it’s moving too fast.
We also know that today's automation is
losing every contest of wits to experts
-- in the wake of Heartbleed,
not a single automation product has come forward to say
that this flaw could have been detected
without expert annotation or intervention.
CGC is open technology development
on the problem of software safety,
a problem seen by the DoD
-- and everyone with a vested interest in our connected future.
cybergrandchallenge/about:
. What if a purpose built supercomputer
could scour the billions of lines of code we depend on,
find and fix the toughest flaws,
upend the economics of computer security,
and level the playing field
between attackers and defenders?
co.reddit comment:
. a lot invested in the [stale] attack/defense model
of computer security competition.
I've heard arguments from many players
that the current model of attack/defense CTF
[capture the flag competitions] is "stale".
Mike Walker:
. great innovation is happening in the CTF community:
see Build It / Break It / Fix It,
funded by the National Science Foundation.
6.7: my response:
. what is stale is the attack/defense model;
because, the chip firmwares have backdoors;
you need to secure the hardware;
then you can analyze the software;
but, at least with DECREE
they are promoting a microkernel OS
that can guarantee isolation between app's?
(well, the interface is tiny, if not the Trusted Code Base).
. unfortunately what they have in mind
is to use their simple OS only for
easily managing the budding automation competition;
then they plan to evolve the winning buds
for auto-fixing today's software on today OS's.
. but,
what can they do for firmware breaches?
. they are trying to show concern about cybercrime
without actually blocking the backdoors used by NSA .