ForAllSecure, a CMU spinoff company, expanding DIU partnerships

After winning a prestigious DARPA competition in 2016, ForAllSecure, a Pittsburgh-based company launched by Carnegie Mellon faculty, has expanded its collaborations with U.S. Department of Defense's (DoD) Defence Innovation Unit, or DIU. Their products help the DoD detect vulnerabilities in software at machine speed and scale.

According to the U.S. Government Accountability Office (GAO), as weapon systems become more and more computerized, there are “more opportunities for attacks.” A 2017 DIU contract with ForAllSecure and multiple other design partners aims to be a solution to this problem, improving weapon systems security with the company’s “Mayhem” product. The company calls it a "next-generation fuzzing solution which automatically detects and eliminates vulnerabilities in software."

ForAllSecure was founded in 2014 by David Brumley, a Carnegie Mellon electrical and computer engineering professor, alongside Thanassis Avgerinos and Alex Rebert, both graduates and researchers from Carnegie Mellon. Mayhem, ForAllSecure’s flagship cybersecurity system, initially began as a project from Brumley’s Carnegie Mellon research group.

Chelsea Mastilak, a spokesperson for the company, told The Tartan in a phone interview that the company was started largely on the idea that “cybersecurity plays a huge role in making the country safe.”

ForAllSecure started with a prototype of Mayhem, which was much more productive than previous machines, said the company.

In 2016, with the Mayhem system developed, ForAllSecure entered the Cyber Grand Challenge (CGC), a competition created by DARPA in correspondence with the DEF CON hacker convention. One of seven teams that participated in the competition, ForAllSecure eventually won the competition after showing its strong auto-correcting power in fixing vulnerabilities in software in front of a crowd of over 5000 computer security professionals.

After winning the competition, ForAllSecure signed a contract with the Defense Innovation Unit, an organization under the DoD which aims to implement emerging technology into the U.S. military by contracting with startups and companies.

According to a U.S. GAO October Report of and studies performed by Carnegie Mellon’s Software Engineering Institute, nearly all previous weapon systems had some sort of vulnerabilities. However, only one out of 20 of those vulnerabilities were corrected previously. Seeking to “automate the process [of finding and correcting vulnerabilities in software] for modern developers”, ForAllSecure signed an $8 million contract with the DIU to help eliminate these defects in weapon systems.

Besides its great power in automatically checking for vulnerabilities, Mayhem also “uncovers defects with zero false positives,” according to the company’s website. ForAllSecure were able to achieve such precision by emphasizing reproduction in order to enhance the system. “The analysis engine runs the test case three times to verify that it is able to reproduce the same behavior,” their website states.

Mastilak says that ForAllSecure has completed the three stages of their contract with the DIU and is currently working on collaboration projects with individual clients from DoD. She notes that more clients in the DoD, not limited to the DIU in general, are interested in implementing Mayhem.