Arizona State University
As software has proliferated to become a critical part of our daily lives, increasing in both variety and volume beyond the ability of human hackers to effectively analyze it, the need for automated techniques to identify and mitigate bugs and vulnerabilities has become painfully apparent.
Over the last few decades, several paradigms for the design of such automation have been explored by security researchers, numerous buzzwords have been coined, and many papers have been written to convey various techniques. However, despite decades of work, techniques for the automation of finding and fixing bugs are still in their infancy, and most such analyses are still done by hand.
In this talk, I will delve into why this is the case, using the DARPA Cyber Grand Challenge as a vantage point to explore the issue. I will explore the road we have taken to get where we are, touch on the fundamental (and not so fundamental) limitations holding us back, and muse about the next steps. I'll discuss this all in the context of my research into cyber autonomy and in the challenges and hurdles that my team, Shellphish, faced in the Cyber Grand Challenge and in applying our Cyber Reasoning System beyond that contest.
Yan Shoshitaishvili is an assistant professor at Arizona State University, where he leads research into automated program analysis and vulnerability identification techniques. As part of this, Yan led Shellphish's participation in the DARPA Cyber Grand Challenge, applying his research tothe creation of a fully autonomous hacking system that won third place in the competition. Underpinning this system is angr, an open-source binary analysis project created by Yan (and others!) over the years. When he is not doing research, Yan is one of the hacking aces of the Shellphish computer hacking group, playing with them through cybersecurity competitions worldwide.