John Hammond Interviews Shellfish Team on DARPA's AI Cyber Challenge

In this video, John Hammond interviews members of the Shellfish team, who are participating in the AI Cyber Challenge (AIC) organized by DARPA. The participants discuss their experiences, technical challenges, and the strategies they have adopted to succeed in this competition. One of the key points addressed is the nature of the AIC itself. The challenge was launched in 2023, shortly after the release of ChatGPT 3.5, which sparked great enthusiasm for language models. The goal of the challenge is to explore how these new tools can be integrated into cybersecurity to automate the detection and correction of vulnerabilities. Participants mention that one of the initial challenges was analyzing the Linux kernel, a monumental task that surprised everyone with its scope. The Shellfish team, composed of researchers from UCSB, Arizona State University, and Purdue, share their academic backgrounds and motivations for participating in this challenge. They explain how they started by using traditional tools like AFL for fuzzing and CodeQL for static analysis, before gradually integrating language models (LLMs) to improve their systems. They emphasize the importance of combining traditional methods with the capabilities of LLMs to achieve the best results. An interesting technical aspect is how they structured their security pipeline. The system consists of several microservices that interact to analyze targets, detect vulnerabilities, and generate patches. Each component is designed to perform a specific task, such as code compilation, fuzzing, or bug validation. They use Kubernetes containers to orchestrate these microservices, allowing for great flexibility and scalability. The participants also discuss the challenges related to using LLMs, including hallucinations and context window limitations. They explain how they had to adjust their approaches to effectively guide the LLMs and avoid costly errors. For example, they mention a time when an LLM generated a Java crash report for a Linux kernel, which made no sense. Another important point is the competition itself. Teams are evaluated not only on their ability to find vulnerabilities but also on the quality of the patches they propose. The patches must maintain the functionality of the original software and be robust against various test inputs. Teams can also invalidate other teams' patches by finding bugs that bypass them. The participants also share advice for students and cybersecurity enthusiasts who want to participate in similar challenges. They stress the importance of understanding the fundamental principles of security and program analysis while remaining open to new technologies like LLMs. They also recommend participating in CTFs (Capture The Flag) to gain practical experience. In conclusion, this video provides a fascinating glimpse into the hard work and innovation required to succeed in a high-level cybersecurity challenge. The Shellfish team members demonstrate how collaboration between humans and machines can push the boundaries of what is possible in security.