π¦ The Artiphishell Awakening
This blog post has been long overdue, but I finally found some time to sit down and help somebody here at UCSB redeploy our beast: Artiphishell.
After that experience, I thought it would be a good idea to βopen sourceβ the process so that anyone around the world can experiment with and customize it.
In this post, Iβll share a step-by-step tutorial on how to deploy one of the Cyber Reasoning Systems that competed in the legendary DARPA AIxCC.
So grab a cup of coffee (or tea, or yerba mate, or whatever keeps you awake) and letβs dive in! βπ
β οΈ Disclaimer: Although this tutorial has been successfully replicated by several people, itβs still far from perfect. If you notice any inaccuracies or missing steps, please let me know at degrigis@ucsb.edu or on X (
@degrigis). Thank you!
π» Requirements
We have tested the deployment on a box with these specs:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.5 LTS
Release: 22.04
Codename: jammy
Linux myserver 5.15.0-153-generic #163-Ubuntu SMP Thu Aug 7 16:37:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
(aixcc) ~/projects$ python --version
Python 3.10.12
And, importantly,
(aixcc) ~/projects$ yq --version
yq (https://github.com/mikefarah/yq/) version v4.30.8
π£ Warnings
β οΈ I would strongly encourage using a machine dedicated to this. DO NOT deploy Artiphishell on your local laptop or on a machine where you store important data
β οΈ You will need to set up a LiteLLM with your own LLM keys. Be very mindful of this, Artiphishell can be very expensive if you leave it run for long time (or forget about it running in some box). Set limits to these keys and make sure you shut everything down whenever you are done with it.
π Instructions
[1] First, letβs download the AIxCC release from here.
After that, git clone http://github.com/degrigis/artiphishell-tweaks.git.
The latter are files you will use to replace the ones in the Artiphishell-Finals folder (i.e., a few tweaks are necessary to make Artiphishell deployable on your box).
From now on, we are gonna assume the working directory is going to be ~/artiphishell-Finals.
[2] Make sure you have this specific version of yq installed:
~/artiphishell-release$ yq --version
yq (https://github.com/mikefarah/yq/) version v4.30.8
You can find it here: https://github.com/mikefarah/yq/releases/tag/v4.30.8
[3] Download the artiphishell-tweaks and use the files in it to overwrite the files in artiphishell-Finals . (The artiphishell-tweaks respect the foldersβ structure of the artiphishell-Finals folder)
[4] Build all the base images:
~/artiphishell-Finals$ ./local_run/rebuild_base_images.sh
After this step, if you do docker image ls | grep aixcc you should see something like:
ghcr.io/shellphish-support-syndicate/aixcc-afc-competition-api latest d913f660cc3c 47 seconds ago 7.66GB
aixcc-afc-competition-api latest d913f660cc3c 47 seconds ago 7.66GB
aixcc-libs latest 3ad045b94110 2 minutes ago 78.1MB
ghcr.io/shellphish-support-syndicate/aixcc-libs latest 3ad045b94110 2 minutes ago 78.1MB
aixcc-data latest 0cb410294698 2 minutes ago 136MB
ghcr.io/shellphish-support-syndicate/aixcc-data latest 0cb410294698 2 minutes ago 136MB
aixcc-component-base latest 98a76033d6cb 3 minutes ago 9.83GB
ghcr.io/shellphish-support-syndicate/aixcc-component-base latest 98a76033d6cb 3 minutes ago 9.83GB
aixcc-dependencies-base latest abddafffffe7 3 hours ago 7.34GB
ghcr.io/shellphish-support-syndicate/aixcc-dependencies-base latest abddafffffe7 3 hours ago 7.34GB
aixcc-codeql-server
[5] Now, Create a new Python virtual environment (e.g., aixcc) and install pydatatask
(aixcc) ~/artiphishell-Finals/libs/pydatatask$ pip install -e .
[6] Install also crs-telemetry
(aixcc) ~/artiphishell-Finals/libs/crs-telemetry$ pip install -e .
[7] Pull the aixcc-base-runner:
docker pull ghcr.io/aixcc-finals/base-runner:v1.3.0
[8] Run the local build
(aixcc) ~/artiphishell-Finals$ ./local_run/rebuild_local.sh build-all
[9] The building happens in parallel, and some dependencies between containers might break at this step. If you see errors such as:
------
> [image-aixcc-submitter stage-1 8/11] RUN --mount=type=cache,target=/root/.cache/uv uv sync --no-install-project:
23.36 Using CPython 3.11.0rc1 interpreter at: /usr/bin/python3.11
23.36 Removed virtual environment at: .venv
23.36 Creating virtual environment at: .venv
23.75 Γ Failed to resolve dependencies for `crs-api` (v0.1.0)
23.75 β°ββΆ Requirements contain conflicting URLs for package `shellphish-crs-utils`
23.75 in all marker environments:
23.75 - file:///shellphish/libs/crs-utils
23.75 - file:///shellphish/libs/crs-utils (editable)
23.75 help: `crs-api` (v0.1.0) was included because `submitter` (v0.1.0) depends
23.75 on `crs-api`
------
failed to solve: process "/bin/sh -c uv sync --no-install-project" did not complete successfully: exit code: 1
Just re-run the command at [9] until these errors do not appear anymore #DevOpsDoneRight.
[10] If everything build correctly, you should see a lot of containers with marked as βaixccβ
docker image ls | grep aixcc
aixcc-codeql-server latest 07c2343b1ebe About an hour ago 9.25GB
aixcc-telegraf latest 892cbace18a0 About an hour ago 272MB
ghcr.io/shellphish-support-syndicate/aixcc-crs-api latest f1d881d2d6e0 15 hours ago 9.02GB
ghcr.io/shellphish-support-syndicate/aixcc-pdt-agent latest 6dfa1d9d8fba 15 hours ago 9.06GB
ghcr.io/shellphish-support-syndicate/aixcc-vllm-server latest 583e1c416b37 15 hours ago 10.8GB
ghcr.io/shellphish-support-syndicate/aixcc-telegraf latest cffae016d1e0 15 hours ago 272MB
aixcc-otel-collector latest 86bed71c304b 15 hours ago 318MB
ghcr.io/shellphish-support-syndicate/aixcc-otel-collector latest 581ca23211ac 15 hours ago 318MB
ghcr.io/shellphish-support-syndicate/aixcc-jaeger latest 86157c743d0d 15 hours ago 109MB
ghcr.io/shellphish-support-syndicate/aixcc-litellm latest 593963761e61 15 hours ago 1.87GB
ghcr.io/shellphish-support-syndicate/aixcc-data-prepper latest f4c88dd40148 15 hours ago 1.62GB
ghcr.io/shellphish-support-syndicate/aixcc-crs-monitor latest b1bfa1846069 15 hours ago 7.9GB
ghcr.io/shellphish-support-syndicate/aixcc-image-puller latest 30015187582e 15 hours ago 71.4MB
ghcr.io/shellphish-support-syndicate/aixcc-competition-server-infra latest 2685cefd8e43 15 hours ago 10.2GB
aixcc-aflplusplus latest 5693adef0239 17 hours ago 10.4GB
ghcr.io/shellphish-support-syndicate/aixcc-aflplusplus latest 5693adef0239 17 hours ago 10.4GB
[...]
[11] Create these folders on your machine (this needs sudo )
/shared/fuzzer_sync/shared/docker-locks/
[12] Change permissions to the folders:
sudo chown -R your_user:your_user /shared/fuzzer_sync
sudo chown -R your_user:your_user /shared/docker-locks
[13] Change these variables in ~/artiphishell-Finals/local_run/env.sh :
export LITELLM_KEY=sk-artiphishell-da-best!!!
export AIXCC_LITELLM_HOSTNAME=${AIXCC_LITELLM_HOSTNAME:-http://wiseau.seclab.cs.ucsb.edu:666/}
export USE_LLM_API=1 # Whether to use the LiteLLM API or not for agentlib
with
export LITELLM_KEY=<YOUR_LITELLM_KEY>
export AIXCC_LITELLM_HOSTNAME=<YOUR_LITELLM_HOSTNAME>
export USE_LLM_API=1 # Whether to use the LiteLLM API or not for agentlib
For this, you will have to set up your own LITELLM server (https://github.com/BerriAI/litellm) and use your OpenAI, Anthropic keys (be mindful of that, set a limit on spending).
[14] As an example, now start Artiphishell with the sqlite target. Make sure you are running this in the virtualenv where you installed pydatatask.
(aixcc) ~/artiphishell-Finals$ ./run_artiphishell.sh https://github.com/degrigis/afc-exhibition2-sqlite3-full exhibition2-sqlite3-full
[15] - When asked:
Starting Artiphishell!
Do you want to run in DELTA mode?
Say no
[16] Wait for these logs to appear:
DEBUG | pydatatask.pipeline | π
canonical_build:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +20000000000.0
DEBUG | pydatatask.pipeline | π
codeql_build:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +20000000000.0
DEBUG | pydatatask.pipeline | π
full_mode_create_analysis_source:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +999999999.0
DEBUG | pydatatask.pipeline | π
patcherg:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +1000000.0
DEBUG | pydatatask.pipeline | π
clang_index:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +10000.0
DEBUG | pydatatask.pipeline | π
ccache_init:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +1000.0
DEBUG | pydatatask.pipeline | π
request_gpu_machine:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +100.0
DEBUG | pydatatask.pipeline | π
coverage_build_c:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +75.0
DEBUG | pydatatask.pipeline | π
build_configuration_splitter:770d986660de9fbc2c8b461b17d1574e1077aed285183c2597071fe08032ce22#0 +0.0
This means that the project was sent to Artiphishell.
[17] If you want to visualize whatβs happening, open another terminal and go to the root folder:
(aixcc) ~/artiphishell-Finals$ pd viz
INFO: Application startup complete.
INFO: Uvicorn running on http://0.0.0.0:8050 (Press CTRL+C to quit)
This spins up the visualization of Artiphishell on the machine at http://0.0.0.0:8050
If you are using a server, you can use an SSH forward to access it from your laptopβs browser.
(e.g., ssh -L 8050:localhost:8050 cimber)
[18] Open your browser and go to localhost:8050
[19] You can see all the containers running on the machine where you spin up Artiphishell with docker ps . With docker logs -f <CONTAINER_ID> you can see the logs of each component.
[20] To explore the generated artifacts, drop this script (pd-show) in the folderΒ ~artiphishell-Finals/Β (the folder where you see the βpipeline.lockβ file)
(aixcc) ~/artiphishell-Finals$ ls -la
drwxrwxr-x 14 degrigis degrigis 4096 Oct 20 02:16 .
drwxrwxr-x 4 degrigis degrigis 4096 Oct 19 16:38 ..
drwxrwxr-x 5 degrigis degrigis 4096 Aug 8 17:12 aixcc-infra
-rwxrwxr-x 1 degrigis degrigis 337 Aug 8 17:12 compare-afc-crs-shellphish.sh
drwxrwxr-x 56 degrigis degrigis 4096 Oct 18 16:16 components
drwxrwxr-x 2 degrigis degrigis 4096 Aug 8 17:12 config
-rwxrwxr-x 1 degrigis degrigis 588 Aug 8 17:12 deploy-to-afc-crs-shellphish.sh
drwxrwxr-x 2 degrigis degrigis 4096 Oct 17 22:22 docker
-rw-rw-r-- 1 degrigis degrigis 778 Oct 18 02:16 .dockerignore
-rw-rw-r-- 1 degrigis degrigis 105 Aug 8 17:12 .gitattributes
drwxrwxr-x 4 degrigis degrigis 4096 Aug 8 17:12 .github
-rw-rw-r-- 1 degrigis degrigis 534 Aug 8 17:12 .gitignore
drwxrwxr-x 9 degrigis degrigis 4096 Aug 8 17:12 infra
drwxrwxr-x 25 degrigis degrigis 4096 Aug 8 17:12 libs
-rw-rw-r-- 1 degrigis degrigis 1068 Aug 8 17:12 LICENSE
drwxrwxr-x 2 degrigis degrigis 4096 Aug 8 17:12 .llm-docs
drwxrwxr-x 7 degrigis degrigis 4096 Oct 19 03:00 local_run
-rwxrwxr-x 1 degrigis degrigis 2954 Oct 20 02:16 pd-show. //<------THIS
-rw-rw-r-- 1 degrigis degrigis 133543 Oct 18 17:57 pipeline.lock //<-----THIS
The script will show you a nice table and you can see the logs/file/tars produced by the running CRS.
(aixcc) ~/artiphishell-Finals$ ./pd-show
Pipeline Tasks Artifacts
ββββββββ³ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ³βββββββββββββββββββββββββββββββββββββββββββββββββββββββ³ββββββββββ³βββββββββββ
β Type β Repo β Basedir β # Files β Cls β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β β Kumushi_Java_postprocessing_main_autodone_kumushi_delta_java β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmp57gzf81h β 0 β YamlFile β
β β Kumushi_Java_postprocessing_main_autodone_kumushi_java β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpp1t0hui0 β 0 β YamlFile β
β π β Kumushi_Java_postprocessing_main_autologs_kumushi_delta_java β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpb8yh1_xo β 0 β File β
β π β Kumushi_Java_postprocessing_main_autologs_kumushi_java β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpg19pishl β 0 β File β
β β Kumushi_postprocessing_main_autodone_kumushi β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpckmkg8pz β 0 β YamlFile β
β β Kumushi_postprocessing_main_autodone_kumushi_delta β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpfw4y7b6f β 0 β YamlFile β
β π β Kumushi_postprocessing_main_autologs_kumushi β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmp5m9jtvj4 β 0 β File β
β π β Kumushi_postprocessing_main_autologs_kumushi_delta β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmppwozv4id β 0 β File β
β β PatcherG_postprocessing_main_autodone_patcherg β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpzn7fql1h β 0 β YamlFile β
β π β PatcherG_postprocessing_main_autologs_patcherg β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmp8py7skug β 0 β File β
β β PatcherQ_postprocessing_main_autodone_patcherq β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmp_g64de0b β 0 β YamlFile β
β β PatcherQ_postprocessing_main_autodone_patcherq_delta β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmphv3fdbie β 0 β YamlFile β
β β PatcherQ_postprocessing_main_autodone_patcherq_from_sarif β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpzlo49kwh β 0 β YamlFile β
β β PatcherQ_postprocessing_main_autodone_patcherq_from_sarif_delta β /tmp/pydatatask-degrigis/lock-xsecffekjc/tmpc_vhmy6_ β 0 β YamlFile β
You can also docker ps , see which current components are running, and docker logs -f <docker_container_id> to see whatβs going on!
[21] To shut everything down: just kill all the containers whose NAMES start with CRS___
docker kill $(docker ps -q --filter "name=^CRS__")
πΒ EXTRA NOTES:
- These
EXTRA_ENVin the scriptrun_artiphishell:
EXTRA_ENV='-T coverage_trace -T kumushi_delta_java -T quick_seed_delta -T submitter -T vuln_model_scan -T grammar_agent_explore_delta -T grammar_agent_explore -T grammar_guy_fuzz -T aflpp_cross_node_sync -T grammar_composer_run -T corpus_inference_trace -T corpus_inference_llm -T corpus_kickstart -T aflpp_trigger_upscale -T semgrep_analysis --global-script-env ARTIPHISHELL_CCACHE_DISABLE=1' CUSTOM_OSS_FUZZ_TARGETS_REPO=git@github.com:degrigis/artiphishell-ossfuzz-targets.git ./local_run/run_local.sh $1 $2 "" $BASE_COMMIT $REFERENCE_COMMIT
Are controlling which components are DISABLED. As in, -T coverage_trace disabled the coverage_trace task. The script comes with a few defaults. Depending on what you want to do, you may want to play with these flags.
- Be mindful of your LLM keys, as said, if you run everything for hours, you might end up spending a lot of money.
- Every component (in the folder
components) is configured through thepipeline.yaml. This includes the number of replicas, number of cores per components, etc⦠If you are runningArtiphishellon your laptop, you may want to disable components and reduce replicas.
I hope this little tutorial will play its part in democratizing the development and adoption of AI-based CRSes. This technology is truly (and rapidly!) changing the way we can find and fix vulnerabilities at scale. Can you imagine a world where 0days will be SO rare because of how fast we can catch them before they hit production?! That future could be closer than we think.
Happy hacking!