OSS-CRS: Liberating AIxCC Cyber Reasoning Systems for Real-World Open-Source Security
AI 摘要
提出了OSS-CRS框架,用于在真实开源项目中运行和组合网络推理系统,发现了10个未知漏洞。
主要贡献
- 开源可部署框架OSS-CRS
- 移植第一名系统Atlantis
- 发现10个OSS-Fuzz项目的未知漏洞
方法论
构建开源框架,集成现有CRS系统,针对OSS-Fuzz项目进行漏洞挖掘测试,评估资源管理效率。
原文摘要
DARPA's AI Cyber Challenge (AIxCC) showed that cyber reasoning systems (CRSs) can go beyond vulnerability discovery to autonomously confirm and patch bugs: seven teams built such systems and open-sourced them after the competition. Yet all seven open-sourced CRSs remain largely unusable outside their original teams, each bound to the competition cloud infrastructure that no longer exists. We present OSS-CRS, an open, locally deployable framework for running and combining CRS techniques against real-world open-source projects, with budget-aware resource management. We ported the first-place system (Atlantis) and discovered 10 previously unknown bugs (three of high severity) across 8 OSS-Fuzz projects. OSS-CRS is publicly available.