Mechanical Phish auto-exploit auto-patch kit lands on GitHub
Vuln-hunting robot ready to roam the world
One of the top-three in DARPA's recent cyber-challenge, Mechanical Phish, has been open sourced at GitHub.
The Cyber Grand Challenge posed a hellish problem indeed: write software that could expose bugs (a la Metasploit) and patch them, without human intervention.
In that competition, team (led by UC Santa Barbara's Giovanni Vigna) Shellphish came third with Mechanical Phish, behind Carnegie Mellon's first placegetting ForAllSecure team and the University of Virginia / GrammaTech TechX team.
Warning: installation won't be for the faint-hearted, because not only can Mechanical Phish be “an ordeal” to set up, but also because at this stage documentation is, ahem, incomplete.
Mechanical Phish is based on the UC Santa Barbara angr binary analysis framework, which at least has better documentation than the competition entry, at this stage.
“Absent” might be as good a word, as the project explains: “There is very little documentation of the whole thing. This is something that we would love community involvement for (although it's admittedly a chicken-and-egg problem).”
There are, the project says, a lot of moving parts, covering task scheduling; API calls; exploit decision-making; task running; as well as common utilities and a knowledge base.
The hard work happens in the “Worker” section, which includes the Shellphish-developed Rex auto-exploit component and Patchrex auto-patching engine; a Python-based Fuzzer, Angr's concolic tracing engine; a smart fuzzer called Driller; and a couple of wrappers.
“No blueprint for doing this existed before the CGC, so we had to figure things out as we went along,” the group writes on the project. That makes Mechanical Phish “extremely complicated”, and authored by a “mysterious hacker collective” so it's got “rough components, missing documentation, and ghosts in the machine”. ®