Proteus: Automated Cyber Reasoning

ABSTRACT

In 2016, DARPA hosted the Cyber Grand Challenge (CGC), a competition to create automatic cyber reasoning systems.  Together with a team from the University of Virginia, GrammaTech won second place out of over 100 teams.  We present Proteus: the maturation of this technology from operating in a simple, controlled, and academic environment to modern, real-world operating systems.  In this presentation we will discuss the transition of more than 10 independent tools at various levels of maturity to one production system and a comprehensive reflection on this process.  We will also discuss the current capabilities of Proteus, issues both solved and unsolved, and future plans.
Proteus provides a scalable dynamic analysis environment which combines fuzzing, symbolic execution, error amplification, binary rewriting, exploitability analysis, binary patching, and binary hardening.  Our goal is to automatically discover security vulnerabilities in software on both Windows and Linux, assess their severity, and mitigate with patching using binary rewriting, all without requiring source code.  First, the core of Proteus is a powerful combination of symbolic execution and fuzzing, increasingly recognized by the community as a complementary set of technologies for dynamic analysis. Second, error amplification allows deeper detection. Third, a sophisticated exploitability analysis allows triaging reports for actionability where analyst time is limited. Fourth, automated patching is available via bleeding-edge research advances in rewriting. Fifth, comprehensive reports ensure usability and help provide the “big picture”. 

In transitioning Proteus from the simplified Linux environment of the DARPA CGC to Windows, we encountered a number of challenges.  Arguably the most significant issue was that fuzz testing on Windows is not as efficient as on Linux, due to the lack of the fork() system call.  To mitigate this issue, we implemented a fork server which brings a similar capability to Windows, resulting in a substantial performance increase.  Our memory safety instrumentation also required significant effort to be made compatible with process heap management on Windows.

Proteus is scalable, providing coordination for analyzers across multiple compute nodes.  The user may at times be required to simply allocate additional compute resources to an analysis to overcome poor performance on Windows.  In the future we plan to investigate using virtualization capabilities in the x86 architecture to allow fast state resets to further accelerate fuzz testing.  Our presentation will share our experience in bringing these capabilities to Windows.

We will discuss the maturation of the Proteus system, which is relevant to the HCSS goal of identifying new technology and methodologies, and their transition to mainstream use with large-scale, distributed coordination.  Additionally, to support the DoD’s need for rapid onboarding of new cyber analysts, Proteus is designed to be accessible and intuitive, advancing the mission of national security – analysts may produce meaningful results on day one.

Author

Bill Bierman has been a software engineer and program manager in the cyber security and defense industry for more than a decade.  Bill has multiple degrees in Computer Science and Mathematics.  For the past eight years, Bill has been with GrammaTech as an engineer of innovative dynamic software analysis tools.  These tools cover fuzzing, symbolic execution, binary rewriting, memory safety validation, and the emergent properties inherent to their cooperation.  A priority of Bill's work has been to guide cyber security tooling towards accessibility, reducing the threshold of expertise required to conduct meaningful analyses.