Buttercup is an AI-powered Cyber Reasoning System (CRS) designed to automatically discover and patch software vulnerabilities in open-source C and Java projects. Developed by Trail of Bits for the DARPA AIxCC, it targets security researchers and developers seeking to enhance code security through automated fuzzing and AI-driven remediation.

How It Works

Buttercup employs an AI/ML-assisted fuzzing campaign, built on oss-fuzz, to identify vulnerabilities. Upon detection, it analyzes the issues and utilizes a multi-agent AI system to generate and apply patches. The system comprises an Orchestrator for workflow management, a Seed Generator for fuzzing inputs, a Fuzzer for vulnerability discovery, a Program Model for code analysis, and a Patcher for vulnerability remediation. This approach aims for efficient and automated vulnerability management.

Quick Start & Requirements

• Install: Clone with submodules (git clone --recurse-submodules), then run make setup-local for automated setup or make deploy-local to start.
• Prerequisites: make, curl, git. Requires Linux x86_64 (ARM64 partial support).
• Dependencies: Relies on third-party AI providers (OpenAI, Anthropic, Google Gemini support coming). API keys are necessary, and costs must be managed.
• Resources: Minimum 8 cores CPU, 16 GB RAM, 100 GB disk.
• Docs: Quick Reference Guide, Manual Setup Guide.

Highlighted Details

• Integrates with oss-fuzz for vulnerability discovery.
• Features an AI-driven multi-agent patcher for vulnerability remediation.
• Includes local SigNoz deployment for observability (logs, traces, metrics).
• Provides a web-based GUI for task monitoring and results visualization.

Maintenance & Community

Developed by Trail of Bits. Further community and roadmap details are not explicitly provided in the README.

Licensing & Compatibility

The README does not specify a license. Compatibility for commercial use or closed-source linking is not detailed.

Limitations & Caveats

Buttercup's functionality is dependent on third-party AI providers, incurring costs and requiring API keys. ARM64 support is partial. The system's effectiveness is tied to the quality of fuzzing harnesses and the OSS-Fuzz compatibility of target projects.