Portal de Periódicos da CAPES

Mechanical Phish: Resilient Autonomous Hacking

2018; Institute of Electrical and Electronics Engineers; Volume: 16; Issue: 2 Linguagem: Inglês

10.1109/msp.2018.1870858

1558-4046

Yan Shoshitaishvili, Antonio Bianchi, Kevin Borgolte, Amat Cama, Jacopo Corbetta, Francesco Disperati, Audrey Dutcher, John Grosen, Paul Grosen, Aravind Machiry, Chris Salls, Nick Stephens, Ruoyu Wang, Giovanni Vigna,

Security and Verification in Computing

The size and complexity of software is increasing, and security flaws are becoming more numerous, sophisticated, and impactful. While the vulnerability identification process (especially in hard-to-analyze binary programs) has traditionally been driven by highly skilled human analysts, this approach does not scale, given the vast amount of deployed software. Recently, the vulnerability analysis process has started to shift toward automated approaches. The DARPA Cyber Grand Challenge has played a key role in transforming disconnected research ideas into fully autonomous cyber reasoning systems that analyze code to find vulnerabilities, generate exploits to prove the existence of these vulnerabilities, and patch the vulnerable software. In this article, we discuss our cyber reasoning system, Mechanical Phish, which we have open-sourced; the lessons we learned in participating in this ground-breaking competition; and our system's performance as a tool in assisting humans during the DEF CON Capture-the-Flag competition, which followed the DARPA Cyber Grand Challenge.