Nov. 13, 2024
Members of the recently victorious cybersecurity group known as Team Atlanta received recognition from one of the top technology companies in the world for their discovery of a zero-day vulnerability in the DARPA AI Cyber Challenge (AIxCC) earlier this year.
On November 1, a team of Google’s security researchers from Project Zero announced they were inspired by the Georgia Tech students and alumni on the team that discovered a flaw in SQLite. This widely used open-source database ran the competition’s scoring algorithm.
According to a post from the project’s blog, when Google researchers saw the success of Atlantis, the large language model (LLM) used in AIxCC, they deployed their LLM to check vulnerabilities in SQLite.
Google’s Big Sleep tool discovered a security flaw in SQLite, an exploitable stack buffer underflow. Project Zero reported the vulnerability and it was patched almost immediately.
“We’re thrilled to see our work on LLM-based bug discovery and remediation inspiring further advancements in security research at Google,” said Hanqing Zhao, a Georgia Tech Ph.D. student. “It’s incredibly rewarding to witness the broader community recognizing and citing our contributions to AI and LLM-driven security efforts.”
Zhao led a group within Team Atlanta focused on tracking their project’s success during the competition, leading to the bug's discovery. He also wrote a technical breakdown of their findings in a blog post cited by Google’s Project Zero.
“This achievement was entirely autonomous, without any human intervention, and we hadn’t even anticipated targeting SQLite3,” he said. “The outcome highlighted the transformative potential of generative AI in security research. Our approach is rooted in a simple yet effective philosophy: mimic the expertise of seasoned security researchers using LLMs.”
The DARPA AI Cyber Challenge (AIxCC) semi-final competition was held at DEF CON 32 in Las Vegas. Team Atlanta, which included Georgia Tech experts, was among the contest’s winners.
Team Atlanta will now compete against six other teams in the final round, which will take place at DEF CON 33 in August 2025. The finalists will use the $2 million semi-final prize to improve their AI system over the next 12 months. Team Atlanta consists of past and present Georgia Tech students and was put together with the help of SCP Professor Taesoo Kim.
The AI systems in the finals must be open-sourced and ready for immediate, real-world launch. The AIxCC final competition will award the champion a $4 million grand prize.
The team tested their cyber reasoning system (CRS), dubbed Atlantis, on software used for data management, website support, healthcare systems, supply chains, electrical grids, transportation, and other critical infrastructures.
Atlantis is a next-generation, bug-finding and fixing system that can hunt bugs in multiple coding languages. The system immediately issues accurate software patches without any human intervention.
AIxCC is a Pentagon-backed initiative announced in August 2023 and will award up to $20 million in prize money throughout the competition. Team Atlanta was among the 42 teams that qualified for the semi-final competition earlier this year.