Prof. Giovanni Vigna

Abstract

The software components that support critical infrastructure are riddled with vulnerabilities, whose exploitation could cause service disruption, financial damage, and possibly loss of life.

Although there are efforts, such as OSS-Fuzz, to continuously analyze these components for vulnerabilities, some categories of security bugs are still hard to detect. In addition, the creation of testing harnesses and the generation of effective patches still require substantial effort from human experts.

To address these issues, researchers and practitioners alike have focused on automating the vulnerability analysis and repair process. In particular, DARPA has supported these research efforts with two challenges: the DARPA Cyber Grand Challenge (CGC) in 2016 and the AI Cyber Challenge (AIxCC) in 2025. In these two challenges, participants had to create Cyber Reasoning Systems (CRS) that, in different contexts, had to identify vulnerabilities, exploit them, and provide patches without any human involvement.

In this talk, we take a historical look at these efforts that span a decade, especially in light of the recent advances in Large Language Models (LLMs), and highlight the lessons learned from participating in these competitions, as well as the challenges that still need to be addressed to achieve a completely autonomous vulnerability analysis, triaging, and repair process.