All You Need Is A Fuzzing Brain: An LLM-Powered System for Automated Vulnerability Detection and Patching

Summary

This paper details a cyber security system, called the Cyber Reasoning System (CRS), developed by the 'All You Need Is A Fuzzing Brain' team for the DARPA AIxCC competition. The system automatically finds and fixes software vulnerabilities.

What's the problem?

Software often has hidden security flaws, called vulnerabilities, that hackers can exploit. Finding these vulnerabilities is hard work, usually done manually by security experts. The goal was to create an AI system that could automatically discover and patch these flaws in real-world software without human help.

What's the solution?

The team built a CRS that uses large language models (LLMs) – the same kind of AI powering chatbots – to intelligently test software for weaknesses. This process, called fuzzing, involves feeding the software lots of random, but carefully crafted, inputs to try and crash it or expose vulnerabilities. Their system not only found 28 vulnerabilities, including six brand new ones nobody knew about, but also successfully fixed 14 of them. They’ve also created a public leaderboard to compare how well different LLMs perform at finding and fixing these bugs.

Why it matters?

This work is important because it shows that AI can be used to significantly improve software security. Automating vulnerability discovery and patching can help protect systems from attacks and reduce the workload on security professionals. The public leaderboard also encourages further research and development in this area, pushing the boundaries of what AI can do for cybersecurity.