Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance

TL;DR

This paper introduces a human-assisted approach to automated vulnerability analysis, where humans perform specific sub-tasks to enhance system capabilities, enabling scalable and efficient security flaw detection in complex software.

Contribution

It proposes a new paradigm shift from tool-assisted human-centered to human-assisted tool-centered vulnerability analysis, integrating human input into autonomous systems.

Findings

Non-expert human assistance significantly improves analysis accuracy.

The system scales better with larger codebases.

Human input reduces false positives and negatives.

Abstract

As the size and complexity of software systems increase, the number and sophistication of software security flaws increase as well. The analysis of these flaws began as a manual approach, but it soon became apparent that tools were necessary to assist human experts in this task, resulting in a number of techniques and approaches that automated aspects of the vulnerability analysis process. Recently, DARPA carried out the Cyber Grand Challenge, a competition among autonomous vulnerability analysis systems designed to push the tool-assisted human-centered paradigm into the territory of complete automation. However, when the autonomous systems were pitted against human experts it became clear that certain tasks, albeit simple, could not be carried out by an autonomous system, as they require an understanding of the logic of the application under analysis. Based on this observation, we propose a shift in the vulnerability analysis paradigm, from tool-assisted human-centered to human-assisted tool-centered. In this paradigm, the automated system orchestrates the vulnerability analysis process, and leverages humans (with different levels of expertise) to perform well-defined sub-tasks, whose results are integrated in the analysis. As a result, it is possible to scale the analysis to a larger number of programs, and, at the same time, optimize the use of expensive human resources. In this paper, we detail our design for a human-assisted automated vulnerability analysis system, describe its implementation atop an open-sourced autonomous vulnerability analysis system that participated in the Cyber Grand Challenge, and evaluate and discuss the significant improvements that non-expert human assistance can offer to automated analysis approaches.