Buttercup: Open-source AI-driven system detects and patches vulnerabilities
Buttercup is a free, automated, AI-powered platform that finds and fixes vulnerabilities in open-source software. Developed by Trail of Bits, it recently earned second place in DARPA’s AI Cyber Challenge (AIxCC).
Main components
Buttercup is made up of four main components, each playing a different role in finding and fixing vulnerabilities.
The orchestration/UI component keeps everything running smoothly, coordinating the actions of the other parts of the system and showing you the vulnerabilities it discovers and the patches it generates. Alongside the standard web interface, Buttercup also sends logs and system events to a SigNoz telemetry server so you can see what it’s doing behind the scenes.
The vulnerability discovery engine uses AI-augmented mutational fuzzing to uncover program inputs that reveal vulnerabilities. It’s built on OSS-Fuzz/ClusterFuzz and uses libFuzzer and Jazzer to do the heavy lifting in finding issues.
Contextual analysis takes a different approach, using traditional static analysis tools to create detailed, queryable program models. These models help provide context for the AI systems that handle vulnerability discovery and patching. Buttercup uses tools like tree-sitter and CodeQuery to build these models.
Finally, patch generation is where fixes come together. This multi-agent system uses seven AI agents to create and validate patches for the vulnerabilities Buttercup discovers, ensuring the fixes are robust and don’t break the rest of the program.
Requirements and download
The minimum requirements for running Buttercup include a CPU with at least eight cores, 16 GB of RAM, and 100 GB of available disk space. A stable internet connection is also necessary to download dependencies.
The solution relies on third-party AI providers such as LLMs from OpenAI, Anthropic, and Google, which incur usage costs. To keep per-deployment expenses under control, use the built-in LLM budget setting.
Buttercup is available for free on GitHub.
Must read:
- 35 open-source security tools to power your red team, SOC, and cloud security
- GitHub CISO on security strategy and collaborating with the open-source community
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!