Published Research

Cyber Reasoning System (CRS)

Despite decades of research, software with serious security vulnerabilities is regularly deployed. The impact of these vulnerabilities will increase in proportion to the number of devices that become “smart.” The current tools and pool of talent can’t keep pace.

Our CRS is a unique tool built for security auditors and software developers to consistently and automatically detect, mitigate, and exploit software vulnerabilities on a massive scale across a large high-assurance codebase. We developed it for the qualifying event of DARPA’s Cyber Grand Challenge, an independently evaluated competition. Our CRS proved to be the second-most effective entrant at finding and patching vulnerabilities without human intervention.

Though it performs at a rate on-par with more complex systems, our CRS requires half as much code, and can easily integrate new analysis tools.

Our CRS pairs a low-latency fuzzer with two open-source symbolic execution engines combined through analysis boosting. Its low-latency fuzzer delivers twice the throughput of similar mutational fuzzers and provides instruction-level instrumentation and code-coverage measurement. Analysis boosting combines simple existing analysis tools into a single analysis that is stronger than its constituents, while requiring fewer resources.

Our CRS is available on a service or license basis to software manufacturers whose products require high assurance.