The Community for Technology Leaders
Green Image
Issue No. 02 - March/April (2018 vol. 16)
ISSN: 1540-7993
pp: 12-22
Yan Shoshitaishvili , Arizona State University
Antonio Bianchi , University of California at Santa Barbara
Kevin Borgolte , University of California at Santa Barbara
Amat Cama , Independent Researcher
Jacopo Corbetta , Independent Researcher
Francesco Disperati , PayJunction
Audrey Dutcher , University of California at Santa Barbara
John Grosen , Massachusetts Institute of Technology
Paul Grosen , University of California at Santa Barbara
Aravind Machiry , University of California at Santa Barbara
Chris Salls , University of California at Santa Barbara
Nick Stephens , Independent Researcher
Ruoyu Wang , University of California at Santa Barbara
Giovanni Vigna , University of California at Santa Barbara
ABSTRACT
The size and complexity of software is increasing, and security flaws are becoming more numerous, sophisticated, and impactful. While the vulnerability identification process (especially in hard-to-analyze binary programs) has traditionally been driven by highly skilled human analysts, this approach does not scale, given the vast amount of deployed software. Recently, the vulnerability analysis process has started to shift toward automated approaches. The DARPA Cyber Grand Challenge has played a key role in transforming disconnected research ideas into fully autonomous cyber reasoning systems that analyze code to find vulnerabilities, generate exploits to prove the existence of these vulnerabilities, and patch the vulnerable software. In this article, we discuss our cyber reasoning system, Mechanical Phish, which we have open-sourced; the lessons we learned in participating in this ground-breaking competition; and our system's performance as a tool in assisting humans during the DEF CON Capture-the-Flag competition, which followed the DARPA Cyber Grand Challenge.
INDEX TERMS
computer crime, learning (artificial intelligence), program diagnostics, security of data
CITATION

Y. Shoshitaishvili et al., "Mechanical Phish: Resilient Autonomous Hacking," in IEEE Security & Privacy, vol. 16, no. 2, pp. 12-22, 2018.
doi:10.1109/MSP.2018.1870858
851 ms
(Ver 3.3 (11022016))