CSE Colloquia: A Decade of Binary Analysis: Lessons Learned

Abstract:
On the last day of Usenix Security in 2013, the first lines of code of what would become the angr binary analysis framework were written. In the decade since, angr has powered hundreds of papers from researchers around the world and enabled projects in all subfields of binary analysis, including the fully autonomous "Cyber Reasoning System" that the Shellphish Capture the Flag team fielded in the DARPA Cyber Grand Challenge. Moreover, angr has continued to grow and improve to the modern day. This success, as with most useful efforts, requires a lot of energy and dedication, and 10 years is a long time to maintain this momentum.

In this somewhat experimental talk, I will delve into the untold tales of the angr project, its impact on binary analysis and related pursuits, and the unexpected ways in which it has influenced not only my research but my career as a whole. We'll talk about research that worked, undertakings that fizzled out, and the valuable lessons learned along the way. With luck, we will find some wisdom to generalize beyond a single open-source framework and into something that can help the audience in their pursuits of their own research visions.

Bio:
Yan Shoshitaishvili is an Assistant Professor at Arizona State University, where he pursues parallel passions of cybersecurity research, real-world impact, and education. His research focuses on automated program analysis and vulnerability detection techniques. Aside from publishing dozens of research papers in top academic venues, Yan led Shellphish’s participation in the DARPA Cyber Grand Challenge, achieving the creation of a fully autonomous hacking system that won third place in the competition.

Underpinning much of his research is angr, the open-source program analysis framework created by Yan and his collaborators. This framework has powered hundreds of research papers, helped find thousands of security bugs, and continues to be used in research labs and companies around the world.

When he is not doing research, Yan participates in the enthusiast and educational cybersecurity communities. He is a Captain Emeritus of Shellphish, one of the oldest ethical hacking groups in the world, and a founder of the Order of the Overflow, with whom he ran DEF CON CTF, the “world championship” of cybersecurity competitions, from 2018 through 2021. Now, he helps demystify the hacking scene as a co-host of the CTF RadiOOO podcast and forge connections between the government and the hacking community through his participation on CISA’s Technical Advisory Council. In order to inspire students to pursue cybersecurity (and, ultimately, compete at DEF CON!), Yan created pwn.college, an open practice-makes-perfect learning platform that is revolutionizing cybersecurity education for aspiring hackers around the world.