Conversation
|
One major consideration is whether we should combine bug-finding and bug-fixing into a single RFC, as we are merging these two processes together. |
|
|
||
| This RFC proposes a standardized set of interfaces and specifications for Cyber Reasoning Systems (CRSs) following the DARPA AIxCC competition. | ||
| The aim is to unify bug finding and reporting workflows to make them portable across teams, scalable from laptops to clusters, and compatible with oss-fuzz. | ||
|
|
There was a problem hiding this comment.
I'm sure that's the short-term aim, but this overview text doesn't justify why anyone would care about unifying bug finding and reporting workflows. This overview should also give the "bigger picture" that I think you know but aren't expressing. I suggest adding something like this:
| This unification enables CRSs to interoperate and accurately measure their capabilities, leading to steady improvements over time so that real-world software vulnerabilities can be automatically identified and fixed at scale, vastly reducing the risks to society from vulnerable software. | |
There was a problem hiding this comment.
(If you want, you can accept this comment, but feel to write something else. My point is that you need to explain why this can help users and society, not just what it does, to put it in context.)
|
|
||
| **The implementation of this proposal: OSS-CRS ([https://github.com/sslab-gatech/oss-crs/tree/main](https://github.com/sslab-gatech/oss-crs/tree/main)) is an independent standard CRS framework that can test and run against OSS-Fuzz projects.** | ||
|
|
||
| ## Glossary and terms |
There was a problem hiding this comment.
I know what these are, but does the reader know? These are just acronym expansions, which is a good start, but you might want to follow each with a 1-sentence definition if you think some readers might not know what these are (as you already did with libCRS).
| This helps us understand where and how much LLMs can contribute without waiting for the entire campaign to finish. | ||
|
|
||
| #### Pushing OSS-Fuzz Closer to developers via Diff Mode | ||
|
|
There was a problem hiding this comment.
Nowhere does this explain what "Diff Mode" is. I mean, I can guess, but if that's a key concept, it should be briefly defined in this section (since this section is all about Diff Mode).
david-a-wheeler
left a comment
david-a-wheeler
left a comment
There was a problem hiding this comment.
Here are several comments, I hope they help!
|
|
||
| ## Background | ||
|
|
||
| - **CRS (Cyber Reasoning System):** automation systems that find and patch vulnerabilities. |
There was a problem hiding this comment.
Shouldn't this be in the definitions/glossary earlier, so you don't need to repeat it here?
| ## Standardization Proposals / CRS Integration Topology | ||
|
|
||
| ### Command Structure | ||
|
|
There was a problem hiding this comment.
Add some intro text, e.g.:
| Here are examples of command-line commands that our work would enable: |
|
|
||
| ### LLM Configuration | ||
|
|
||
| LLM configuration uses the native [LiteLLM Proxy Configuration](https://docs.litellm.ai/docs/proxy/configs) format. The configuration file path is specified in the CRS-Compose file via `llm_config.litellm_config`. |
There was a problem hiding this comment.
You suddenly introduce litellm here, without any fanfare, yet it's implicitly defining key parts of the interface.
I don't object to the use of litellm, but since it's embedded in the proposal, you really should introduce litellm earlier & why you're using it. E.g., "As part of this proposal we propose embedding the litellm Python library...." Explain briefly why you're using it, why not some other library. Then it won't be a surprise later on.
docs/RFC.md
Outdated
| ### Diff Mode Support | ||
|
|
||
| Diff Mode lets the CRS focus on code changes between commits instead of fuzzing the whole project. | ||
| It's useful for validating patches, PRs, or a series of commits where you only want to explore the modified code paths. |
There was a problem hiding this comment.
That's a fine explanation of Diff Mode, except you already introduced Diff Mode earlier. You should explain what Diff Mode is/does the first time you use the term. Maybe that goes early in the document, to make sure readers are aware of it. Diff Mode seems like a key new capability that deserves early discussion.
docs/RFC.md
Outdated
|
|
||
| ### CRS Ensemble Support | ||
|
|
||
| **Motivation:** Combine pure agents with fuzzers for maximum coverage. |
There was a problem hiding this comment.
I'm not sure what a "pure" agent is. Is this only using AI? Only doing static analysis?
I'm all for combining and using fuzzers, but I think we should use all tools available for finding vulnerabilities - if a traditional static analysis tool, or an AI reading code, can help find vulnerabilities, great! Indeed, I'd love to see human inputs as a potential source (e.g., "I'm especially concerned that the interaction of X and Y might produce Z, can you look into that?").
docs/RFC.md
Outdated
|
|
||
| #### Environment Variables | ||
|
|
||
| CRSs receive the following environment variables: |
There was a problem hiding this comment.
| CRSs receive the following environment variables: | |
| CRSs may receive the following environment variables: |
Are all of these strictly required? I doubt it. I suggest that these be as optional as you can make them.
| - Secure handling of LLM API keys. | ||
| - Resource isolation between CRS instances. | ||
|
|
||
| ## References |
There was a problem hiding this comment.
I would expect the AIxCC competition (at least some key docs) be included in the references. What about the oss-fuzz documentation?
Signed-off-by: Andrew Chin <achin34@gatech.edu>
Signed-off-by: Andrew Chin <achin34@gatech.edu>
Signed-off-by: Andrew Chin <achin34@gatech.edu>
Signed-off-by: Andrew Chin <achin34@gatech.edu>
Signed-off-by: Andrew Chin <achin34@gatech.edu>
4 participants
RFC for the OSS-CRS interface, configurations, and CRS integration.
We appreciate any and all feedback! Leave a comment or review in this issue if you are interested in discussing.