TY - JOUR
T1 - Mechanical Phish
T2 - Resilient Autonomous Hacking
AU - Shoshitaishvili, Yan
AU - Bianchi, Antonio
AU - Borgolte, Kevin
AU - Cama, Amat
AU - Corbetta, Jacopo
AU - Disperati, Francesco
AU - Dutcher, Audrey
AU - Grosen, John
AU - Grosen, Paul
AU - Machiry, Aravind
AU - Salls, Chris
AU - Stephens, Nick
AU - Wang, Ruoyu
AU - Vigna, Giovanni
N1 - Publisher Copyright:
© 2003-2012 IEEE.
PY - 2018/3/1
Y1 - 2018/3/1
N2 - The size and complexity of software is increasing, and security flaws are becoming more numerous, sophisticated, and impactful. While the vulnerability identification process (especially in hard-to-analyze binary programs) has traditionally been driven by highly skilled human analysts, this approach does not scale, given the vast amount of deployed software. Recently, the vulnerability analysis process has started to shift toward automated approaches. The DARPA Cyber Grand Challenge has played a key role in transforming disconnected research ideas into fully autonomous cyber reasoning systems that analyze code to find vulnerabilities, generate exploits to prove the existence of these vulnerabilities, and patch the vulnerable software. In this article, we discuss our cyber reasoning system, Mechanical Phish, which we have open-sourced; the lessons we learned in participating in this ground-breaking competition; and our system's performance as a tool in assisting humans during the DEF CON Capture-the-Flag competition, which followed the DARPA Cyber Grand Challenge.
AB - The size and complexity of software is increasing, and security flaws are becoming more numerous, sophisticated, and impactful. While the vulnerability identification process (especially in hard-to-analyze binary programs) has traditionally been driven by highly skilled human analysts, this approach does not scale, given the vast amount of deployed software. Recently, the vulnerability analysis process has started to shift toward automated approaches. The DARPA Cyber Grand Challenge has played a key role in transforming disconnected research ideas into fully autonomous cyber reasoning systems that analyze code to find vulnerabilities, generate exploits to prove the existence of these vulnerabilities, and patch the vulnerable software. In this article, we discuss our cyber reasoning system, Mechanical Phish, which we have open-sourced; the lessons we learned in participating in this ground-breaking competition; and our system's performance as a tool in assisting humans during the DEF CON Capture-the-Flag competition, which followed the DARPA Cyber Grand Challenge.
KW - Cyber Grand Challenge
KW - Hacking without Humans
KW - autonomous systems
KW - computer aided analysis
KW - computer security
KW - knowledge based systems
KW - reasoning about programs
KW - security
UR - http://www.scopus.com/inward/record.url?scp=85044852294&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85044852294&partnerID=8YFLogxK
U2 - 10.1109/MSP.2018.1870858
DO - 10.1109/MSP.2018.1870858
M3 - Article
AN - SCOPUS:85044852294
SN - 1540-7993
VL - 16
SP - 12
EP - 22
JO - IEEE Security and Privacy
JF - IEEE Security and Privacy
IS - 2
ER -