Proteus is an advanced software testing system for automatically finding and fixing vulnerabilities, with no false alarms, aimed at development groups, testing organizations, and cybersecurity teams. It discovers vulnerabilities that could be triggered by potentially malicious file or network inputs, including many common entries in the Common Weakness Enumeration (CWE). The tool supports Windows and Linux native binaries.
By integrating and simplifying the use of state-of-the-art tools for binary analysis and transformation, Proteus lowers the costs and increases the efficiency and effectiveness of software testing, reverse engineering, and maintenance, including:
- binary analysis, mutational fuzzing, and symbolic execution without the need for source code,
- professional-grade user interface for result aggregation and presentation,
- wizard to provide for easy system use, distributed process orchestration, and management,
- advanced exploitability reporting and reasoning capability, and
- deployment in a virtualized environment or on a host system.
Proteus integrates five capabilities, each of which can be used in an end-to-end workflow or independently:
- Error Amplification – earlier and more complete error detection; faster root-cause localization
- Weakness Discovery – automatic generation of test inputs leading to application failure
- Exploitability Analysis – assessment of the exploitability of the discovered weaknesses
- Binary Patching – automated recommendation and application of patches for exploitable weaknesses
- Binary Hardening – additional protections for weaknesses that may have remained undiscovered during analysis.
This material is based upon work supported by the U.S. Air Force, DARPA, the U.S. Army, DIU, the U.S. Navy and the U.S. Office of Naval Research under Contract(s) No. FA8750-14-C-0110, W15QKN-18-9-1013, W56KGU-17-C-0028, FA8750-15-C-0113, HR0011-18-C-0061 and N68335-17-C-0700. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Air Force, DARPA, Army, DIU, the Navy or the Office of Naval Research.