Rise of the HaCRS
Augmenting Autonomous Cyber Reasoning Systems with Human Assistance
Yan Shoshitaishvili, Michael Weissbacher, Lukas Dresel, Christopher Salls, Ruoyu "Fish" Wang, Christopher Kruegel, Giovanni Vigna
Implications of "Cyber Autonomy"
Detections must be directly actionable by automation.
This mandates dynamic analysis for bug hunting.
Cyber Reasoning Systems run up against the dynamic coverage problem.
Semantic Reasoning Capability
Scalability
Semantic Reasoning Capability
Scalability
if (input[0] == MAGIC_NUMBER) { ... }
if (strcmp(username, "backdoor_user") == 0) { ... }
if (x == y * 1337 - 50) { ... }
Semantic Reasoning Capability
Scalability
Semantic Reasoning Capability
Scalability
if (expression_parsed) { ... }
if (game_won) { ... }
if (turing_test()) { ... }
...
Semantic Reasoning Capability
Scalability
?
Semantic Reasoning Capability
Scalability
HaCRS
Autonomous
Non-autonomous
HaCRS
Autonomous
Non-autonomous
HaCRS
Autonomous
Non-autonomous
Rise of the HaCRS
HaCRS Interface
Example Interactions
1 2 3 4 5 6 7
PAPER> PAPER
TIE
ROCK> SCISSORS
YOU LOSE
Feedback
Score: 223/1225
MINIMUM GOAL MET!
Bonuses:
- 10 more functions
- Output "INVALID"
✔ Output "YOU WIN!!!"
✔ Output "EASTEREGG!!"
Terminal
PAPER> 0000
EASTER EGG!!!
PAPER> SCISSORS
YOU WIN!!!
Static Analysis
Suggestions
Educated Guesses:
Brute Force:
SUBMIT
GIVE UP
HaCRS Interface
Example Interactions
1 2 3 4 5 6 7
PAPER> PAPER
TIE
ROCK> SCISSORS
YOU LOSE
Feedback
Score: 223/1225
MINIMUM GOAL MET!
Bonuses:
- 10 more functions
- Output "INVALID"
✔ Output "YOU WIN!!!"
✔ Output "EASTEREGG!!"
Terminal
PAPER> 0000
EASTER EGG!!!
PAPER> SCISSORS
YOU WIN!!!
Static Analysis
Suggestions
Educated Guesses:
Brute Force:
SUBMIT
GIVE UP
HaCRS Interface
Example Interactions
1 2 3 4 5 6 7
PAPER> PAPER
TIE
ROCK> SCISSORS
YOU LOSE
Feedback
Score: 223/1225
MINIMUM GOAL MET!
Bonuses:
- 10 more functions
- Output "INVALID"
✔ Output "YOU WIN!!!"
✔ Output "EASTEREGG!!"
Terminal
PAPER> 0000
EASTER EGG!!!
PAPER> SCISSORS
YOU WIN!!!
Static Analysis
Suggestions
Educated Guesses:
Brute Force:
SUBMIT
GIVE UP
HaCRS Interface
Example Interactions
1 2 3 4 5 6 7
PAPER> PAPER
TIE
ROCK> SCISSORS
YOU LOSE
Feedback
Score: 223/1225
MINIMUM GOAL MET!
Bonuses:
- 10 more functions
- Output "INVALID"
✔ Output "YOU WIN!!!"
✔ Output "EASTEREGG!!"
Terminal
PAPER> 0000
EASTER EGG!!!
PAPER> SCISSORS
YOU WIN!!!
Static Analysis
Suggestions
Educated Guesses:
Brute Force:
SUBMIT
GIVE UP
HaCRS Interface
Example Interactions
1 2 3 4 5 6 7
PAPER> PAPER
TIE
ROCK> SCISSORS
YOU LOSE
Feedback
Score: 223/1225
MINIMUM GOAL MET!
Bonuses:
- 10 more functions
- Output "INVALID"
✔ Output "YOU WIN!!!"
✔ Output "EASTEREGG!!"
Terminal
PAPER> 0000
EASTER EGG!!!
PAPER> SCISSORS
YOU WIN!!!
Static Analysis
Suggestions
Educated Guesses:
Brute Force:
SUBMIT
GIVE UP
Experimental Setup
85 programs from the DARPA Cyber Grand Challenge.
183 non-experts, 5 semi-experts.
$1,100.
Unassisted and assisted approaches, 8 hours each.
Usefulness of human assistance varies by semantic complexity.
Semantic Complexity | Expertise Required | Fuzzing | Drilling | HaCRS |
High | Low | 12 | 14 | 23 |
High | High | 14 | 17 | 28 |
Low | Low | 1 | 2 | 2 |
Low | High | 1 | 3 | 3 |
| | 28 | 36 | 56 |
| Test Cases | Code Coverage | Crashes |
Fuzzing | 361 | 42.87 | 28 |
Drilling | 649 | 44.91 | 36 |
HaCRS | 437 | 53.45 | 56 |
Test Cases Discovered
Code Coverage
Experimental Results
This is effective!
Unskilled users significantly improved CRS effectiveness.
Semi-experts did not do significantly better than non-experts (interface issue?).
Next steps
Incentive structures.
Expertise utilization.
Other applications:
Questions?
Yan Shoshitaishvili - yans@asu.edu
Michael Weissbacher - mw@ccs.neu.edu
Lukas Dresel - lukas.dresel@cs.ucsb.edu
Chris Salls - salls@cs.ucsb.edu
Ruoyu "Fish" Wang - fish@cs.ucsb.edu
Chris Kruegel - chris@cs.ucsb.edu
Giovanni Vigna - vigna@cs.ucsb.edu
Team @Shellphish - team@shellphish.net
This presentation: https://goo.gl/n43PX7
Project materials: https://hacrs.org
Join in on slack: http://angr.io/invite.html