Yeongjin Jang

Taesoo Kim, HyungSeok Han, Soyeon Park et al.

We present ATLANTIS, the cyber reasoning system developed by Team Atlanta that won 1st place in the Final Competition of DARPA's AI Cyber Challenge (AIxCC) at DEF CON 33 (August 2025). AIxCC (2023-2025) challenged teams to build autonomous cyber reasoning systems capable of discovering and patching vulnerabilities at the speed and scale of modern software. ATLANTIS integrates large language models (LLMs) with program analysis -- combining symbolic execution, directed fuzzing, and static analysis -- to address limitations in automated vulnerability discovery and program repair. Developed by researchers at Georgia Institute of Technology, Samsung Research, KAIST, and POSTECH, the system addresses core challenges: scaling across diverse codebases from C to Java, achieving high precision while maintaining broad coverage, and producing semantically correct patches that preserve intended behavior. We detail the design philosophy, architectural decisions, and implementation strategies behind ATLANTIS, share lessons learned from pushing the boundaries of automated security when program analysis meets modern AI, and release artifacts to support reproducibility and future research.

Christopher Jelesnianski, Jinwoo Yom, Changwoo Min et al.

Defense techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) were the early role models preventing primitive code injection and return-oriented programming (ROP) attacks. Notably, these techniques did so in an elegant and utilitarian manner, keeping performance and scalability in the forefront, making them one of the few widely-adopted defense techniques. As code re-use has evolved in complexity from JIT-ROP, to BROP and data-only attacks, defense techniques seem to have tunneled on defending at all costs, losing-their-way in pragmatic defense design. Some fail to provide comprehensive coverage, being too narrow in scope, while others provide unrealistic overheads leaving users willing to take their chances to maintain performance expectations. We present Mardu, an on-demand system-wide re-randomization technique that improves re-randomization and refocuses efforts to simultaneously embrace key characteristics of defense techniques: security, performance, and scalability. Our code sharing with diversification is achieved by implementing reactive and scalable, rather than continuous or one-time diversification while the use of hardware supported eXecute-only Memory (XoM) and shadow stack prevent memory disclosure; entwining and enabling code sharing further minimizes needed tracking, patching costs, and memory overhead. Mardu's evaluation shows performance and scalability to have low average overhead in both compute-intensive (5.5% on SPEC) and real-world applications (4.4% on NGINX). With this design, Mardu demonstrates that strong and scalable security guarantees are possible to achieve at a practical cost to encourage deployment.