DARPA Wants Self-Patching Software

The U.S. military wants to build self-healing software.

A new project by the Defense Advanced Research Projects Agency (DARPA), the mad-scientist wing of the U.S. Department of Defense, is offering $2 million to the first team that can develop automated systems that test software for vulnerabilities and self-generate the necessary computer patches.

“Today, our time to patch a newly discovered security flaw is measured in days. Through automatic recognition and remediation of software flaws, the term for a new cyber attack may change from zero-day to zero-second,” Mike Walker, a DARPA program manager, wrote in a statement.

DARPA wants to find the best project by having different teams’ solutions compete against one another in an open tournament, similar to how flesh-and-blood security experts often meet to test their network-defense skills against one another. This automated-system competition will take place on a purpose-built network framework, and start with a qualifying event in which competitors must automatically identify, analyze and repair a series of software flaws; throughout subsequent rounds of battle, points will be awarded based on each system’s ability to protect hosts, discover vulnerabilities, and keep software running as normal.

But potential competitors also have some time to assemble their software: DARPA doesn’t plan on hosting its tournament until sometime in 2016.

The appeal of self-patching software extends far beyond the military, of course. Private companies and government agencies spend massive amounts of money and hours on fixing software flaws (and dealing with the real-world ramifications of those flaws); the introduction of a “healing factor” would translate into significant savings.

While DARPA often funds borderline-fantastical research—such as fabric that allows soldiers to climb walls like geckos, or armored exoskeletons capable of lifting massive amounts of weight—it also focuses on more mundane projects. In August, for example, the agency indicated that it was developing tools that could evaluate whether a public dataset poses a national security threat.


Image: Africa Studio/Shutterstock.com