Google claimed to have used its Big Sleep (previously Project Naptime) large language model (LLM)-aided framework to find a zero-day vulnerability in the SQLite open-source database engine.
This was the “first real-world vulnerability” discovered using the artificial intelligence (AI) agent, according to the tech giant.
“We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software,” the Big Sleep team said to media.
This particular vulnerability is a stack buffer underflow in SQLite, which happens when a program references a memory location before the memory buffer starts, leading to an arbitrary code execution or crash.
“This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used,” according to a Common Weakness Enumeration (CWE) description of the bug class.
As of early October 2024, the weakness has been fixed after responsible disclosure. It’s important to note that the error was found in the library’s development branch, which means it was reported before it was formally released.
In June 2024, Google originally described Project Naptime as a technology framework to enhance automated vulnerability-finding methods. Since then, it has developed into Big Sleep as a result of a larger partnership between Google DeepMind and Project Zero.
The concept behind Big Sleep is to use an AI agent to mimic human behaviour in detecting and illustrating security flaws by utilising an LLM’s reasoning and code comprehension skills.
This involves employing a set of specialised tools that enable the agent to traverse the target codebase, execute Python scripts in a sandbox setting to produce fuzzy inputs, debug the program, and track outcomes.
“We think that this work has tremendous defensive potential. Finding vulnerabilities in software before it’s even released, means that there’s no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them,” Google said.
The company, however, also emphasized that these are still experimental results, adding “the position of the Big Sleep team is that at present, it’s likely that a target-specific fuzzer would be at least as effective (at finding vulnerabilities).”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
