OSS-CRS: Liberating AIxCC Cyber Reasoning Systems for Real-World Open-Source Security
Andrew Chin, Dongkwan Kim, Yu-Fu Fu, Fabian Fleischer, Youngjoon Kim, HyungSeok Han, Cen Zhang, Brian Junekyu Lee, Hanqing Zhao, and Taesoo Kim
TL;DR
OSS-CRS is an open-source framework that enables local deployment and combination of cyber reasoning systems for real-world open-source security, demonstrating practical bug discovery and patching capabilities.
Contribution
It introduces a portable, resource-aware framework that extends AIxCC systems for real-world use, overcoming infrastructure dependencies of previous systems.
Findings
Discovered 10 new bugs across 8 open-source projects
Ported the winning AIxCC system Atlantis to OSS-CRS
Demonstrated practical bug confirmation and patching capabilities
Abstract
DARPA's AI Cyber Challenge (AIxCC) showed that cyber reasoning systems (CRSs) can go beyond vulnerability discovery to autonomously confirm and patch bugs: seven teams built such systems and open-sourced them after the competition. Yet all seven open-sourced CRSs remain largely unusable outside their original teams, each bound to the competition cloud infrastructure that no longer exists. We present OSS-CRS, an open, locally deployable framework for running and combining CRS techniques against real-world open-source projects, with budget-aware resource management. We ported the first-place system (Atlantis) and discovered 10 previously unknown bugs (three of high severity) across 8 OSS-Fuzz projects. OSS-CRS is publicly available.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Adversarial Robustness in Machine Learning · Information and Cyber Security