Originally published by the High Confidence Software and Systems Conference
High Confidence Software and Systems Conference, Annapolis, MD, May 6-8, 2024
Authors:
Bill Bierman
Abstract:
In 2016, DARPA hosted the Cyber Grand Challenge (CGC), a competition to create automatic cyber reasoning systems. Together with a team from the University of Virginia, GrammaTech won second place out of over 100 teams. We present Proteus: the maturation of this technology from operating in a simple, controlled, and academic environment to modern, real-world operating systems. In this presentation we will discuss the transition of more than 10 independent tools at various levels of maturity to one production system and a comprehensive reflection on this process. We will also discuss the current capabilities of Proteus, issues both solved and unsolved, and future plans.
Proteus provides a scalable dynamic analysis environment which combines fuzzing, symbolic execution, error amplification, binary rewriting, exploitability analysis, binary patching, and binary hardening. Our goal is to automatically discover security vulnerabilities in software on both Windows and Linux, assess their severity, and mitigate with patching using binary rewriting, all without requiring source code. First, the core of Proteus is a powerful combination of symbolic execution and fuzzing, increasingly recognized by the community as a complementary set of technologies for dynamic analysis. Second, error amplification allows deeper detection. Third, a sophisticated exploitability analysis allows triaging reports for actionability where analyst time is limited. Fourth, automated patching is available via bleeding-edge research advances in rewriting. Fifth, comprehensive reports ensure usability and help provide the “big picture”.
In transitioning Proteus from the simplified Linux environment of the DARPA CGC to Windows, we encountered a number of challenges. Arguably the most significant issue was that fuzz testing on Windows is not as efficient as on Linux, due to the lack of the fork() system call. To mitigate this issue, we implemented a fork server which brings a similar capability to Windows, resulting in a substantial performance increase. Our memory safety instrumentation also required significant effort to be made compatible with process heap management on Windows.
Proteus is scalable, providing coordination for analyzers across multiple compute nodes. The user may at times be required to simply allocate additional compute resources to an analysis to overcome poor performance on Windows. In the future we plan to investigate using virtualization capabilities in the x86 architecture to allow fast state resets to further accelerate fuzz testing. Our presentation will share our experience in bringing these capabilities to Windows.
We will discuss the maturation of the Proteus system, which is relevant to the HCSS goal of identifying new technology and methodologies, and their transition to mainstream use with large-scale, distributed coordination. Additionally, to support the DoD’s need for rapid onboarding of new cyber analysts, Proteus is designed to be accessible and intuitive, advancing the mission of national security – analysts may produce meaningful results on day one.