Create the Fully Autonomous World for Software Security
To protect the billions of computers running countless programs, security researchers have pursued automated vulnerability detection and remediation techniques, attempting to scale such analyses beyond the limitations of human hackers. However, although techniques will mitigate, or even eliminate the bottleneck that human effort represented in these areas, the human bottleneck (and human fallibility) remains in the higher-level strategy of what to do with automatically identified vulnerabilities, automatically created exploits, and automatically generated patches. There are many choices to make regarding the specificities of such a strategy, and these choices have real implications beyond cyber-security exercises. For example, individuals make decisions on whether to patch the Spectre vulnerability given the fact that the patch affects the performance in some workloads, and nations make decisions on whether to disclose new software vulnerabilities (zero-day vulnerabilities) or to exploit them for gain. In this talk, I will introduce my work of cyber autonomy. Cyber autonomy is a new computer security research area, aiming to secure programs without human intervention, from discovering vulnerabilities, making decisions to executing decisions. While the first generation of the implemented systems (autonomous cyber reasoning systems) have shown the potential for cyber autonomy, they are still simplistic for practical use. I will delve into the challenges in cyber autonomy and the issue of the strategy-techniques gap, explore the possible solutions, and discuss the future steps to mature cyber autonomy to everyday practice.
Tiffany Bao is a PhD candidate in Electrical and Computer Engineering at Carnegie Mellon University advised by Professor David Brumley. She is also a member of CyLab Security and Privacy Institute, Carnegie Mellon University. Her research focuses on cyber autonomy, and her work spans the areas of binary analysis techniques and game-theoretical strategy. She earned her Bachelor of Science from Peking University in 2012, and she has worked as a security specialist at University of California Santa Barbara, Peking University and Tsinghua University.