David Brumley’s research while affiliated with Carnegie Mellon University and other places

Mayhem is one of the first generation of autonomous computer security bots that finds and fixes vulnerabilities without any human intervention. Mayhem won the DARPA Cyber Grand Challenge (CGC) contest and $2,000,000 in August 2016 against six other finalists. The contest was the result of a two-year DARPA program, but the R&D necessary to compete stands on the shoulders of decades of basic academic and industry scientific research in program analysis, verification, and self-healing systems. The Mayhem system alone was developed over a decade of research in academia, which was spun out to a company called ForAllSecure. Mayhem is now being commercialized by ForAllSecure to autonomously check and protect the world’s software from exploitable bugs. In this article, we look back and give our story in creating Mayhem, and also look forward to a vision where autonomous security bots like Mayhem will radically improve the security of computer systems.

Efficient reasoning about strings is essential to a growing number of security and verification applications. We describe satisfiability checking techniques in an extended theory of strings that includes operators commonly occurring in these applications, such as $\mathsf {contains}, \mathsf {index\_of}$ and $\mathsf {replace}$. We introduce a novel context-dependent simplification technique that improves the scalability of string solvers on challenging constraints coming from real-world problems. Our evaluation shows that an implementation of these techniques in the SMT solver cvc4 significantly outperforms state-of-the-art string solvers on benchmarks generated using PyEx, a symbolic execution engine for Python programs. Using a test suite sampled from four popular Python packages, we show that PyEx uses only $41\%$ of the runtime when coupled with cvc4 than when coupled with cvc4’s closest competitor while achieving comparable program coverage.

Given a crash dump or a kernel memory snapshot, it is often desirable to have a capability that can traverse its pointers to locate the root cause of the crash, or check their integrity to detect the control flow hijacks. To achieve this, one key challenge lies in how to locate where the pointers are. While locating a pointer usually requires the data structure knowledge of the corresponding program, an important advance made by this work is that we show a technique of extracting address-independent data reference expressions for pointers through dynamic binary analysis. This novel pointer reference expression encodes how a pointer is accessed through the combination of a base address (usually a global variable) with certain offset and further pointer dereferences. We have applied our techniques to OS kernels, and our experimental results with a number of real world kernel malware show that we can correctly identify the hijacked kernel function pointers by locating them using the extracted pointer reference expressions when only given a memory snapshot.

Computer security games, especially capture-the-flag (CTF) competitions, are growing in popularity. A typical CTF contest presents users with a set of hacking challenges, where correct solutions reveal a text " flag " that can be submitted to a scoring server. In traditional CTF architectures, the problem and the flag are the same across the competition. In this paper we discuss automatic problem generation (APG), where a given challenge is not fixed, but rather can have many different automatically generated problem instances. APG offers players a unique competition experience and can facilitate deliberate practice where problems vary just enough to make sure a user can replicate the solution idea. APG also allows competition administrators the ability to detect when users submit a copied flag from another user to the scoring server. In 2014 we ran a large-scale CTF competition called PicoCTF, where we measured the prevalence of flag sharing. Our results indicate that about 0.8% of flags submitted to AGP problems were copied, with 14% of teams submitting at least one shared flag. In 68% of flag sharing cases, teams went on to eventually solve the problem on their own.