Buttercup CRS Cheatsheet
Buttercup CRS Cheatsheet¶
Overview¶
Buttercup is an open-source Cyber Reasoning System (CRS) developed by Trail of Bits for the DARPA AI Cyber Challenge (AIxCC), where it won 2nd place. It uses AI-driven techniques to autonomously find and patch vulnerabilities in C and Java source code repositories.
Key Features¶
- AI-Assisted Fuzzing: Leverages ML to enhance vulnerability discovery.
- Autonomous Patching: Multi-agent AI system generates robust security patches.
- OSS-Fuzz Integration: Built on Google's open-source fuzzing infrastructure.
- Web-Based GUI: Real-time monitoring of tasks, vulnerabilities, and patches.
- Multi-Agent System: Composed of specialized agents for orchestration, fuzzing, and patching.
System Requirements¶
- CPU: 8 cores (minimum)
- Memory: 16 GB RAM (minimum)
- Storage: 100 GB available disk space
- OS: Linux x86_64 (fully supported), ARM64 (partially supported)
- Dependencies: Docker, Kubernetes, make, curl, git
- AI Providers: API keys for OpenAI and/or Anthropic
Installation¶
# 1. Clone the repository with submodules
git clone --recurse-submodules https://github.com/trailofbits/buttercup.git
cd buttercup
# 2. Run the automated setup script
make setup-local
Core Commands¶
# Deploy Buttercup locally
make deploy-local
# Check the status of the deployment
make status
# Send a test task to find and patch vulnerabilities
make send-libpng-task
# Stop the local deployment
make undeploy
Accessing the UI¶
# Access the main web UI (http://localhost:31323)
make web-ui
# Access the SigNoz observability dashboard (http://localhost:33301)
make signoz-ui
System Architecture¶
- Orchestrator: Manages the overall workflow and coordinates agents.
- Seed Generator: Creates intelligent inputs for the fuzzer.
- Fuzzer: Discovers vulnerabilities using AI-enhanced techniques.
- Program Model: Analyzes code structure and semantics.
- Patcher: A team of seven AI agents that collaborate to create patches.
Common Workflows¶
- Automated Security Audits: Continuously fuzz and patch open-source dependencies.
- Vulnerability Research: Accelerate the discovery of new vulnerabilities.
- CI/CD Integration: Integrate Buttercup into your CI/CD pipeline for automated security testing.