Google stated it found a zero-day vulnerability within the SQLite open-source database engine utilizing its massive language mannequin (LLM) assisted framework referred to as Massive Sleep (previously Undertaking Naptime).
The tech big described the event because the “first real-world vulnerability” uncovered utilizing the synthetic intelligence (AI) agent.
“We consider that is the primary public instance of an AI agent discovering a beforehand unknown exploitable memory-safety concern in extensively used real-world software program,” the Massive Sleep staff stated in a weblog put up shared with The Hacker Information.
The vulnerability in query is a stack buffer underflow in SQLite, which happens when a bit of software program references a reminiscence location previous to the start of the reminiscence buffer, thereby leading to a crash or arbitrary code execution.
“This sometimes happens when a pointer or its index is decremented to a place earlier than the buffer, when pointer arithmetic outcomes ready earlier than the start of the legitimate reminiscence location, or when a detrimental index is used,” in keeping with a Frequent Weak spot Enumeration (CWE) description of the bug class.
Following accountable disclosure, the shortcoming has been addressed as of early October 2024. It is price noting that the flaw was found in a improvement department of the library, that means it was flagged earlier than it made it into an official launch.
Undertaking Naptime was first detailed by Google in June 2024 as a technical framework to enhance automated vulnerability discovery approaches. It has since developed into Massive Sleep, as a part of a broader collaboration between Google Undertaking Zero and Google DeepMind.
With Massive Sleep, the thought is to leverage an AI agent to simulate human conduct when figuring out and demonstrating safety vulnerabilities by profiting from an LLM’s code comprehension and reasoning skills.
This entails utilizing a set of specialised instruments that permit the agent to navigate by means of the goal codebase, run Python scripts in a sandboxed atmosphere to generate inputs for fuzzing, and debug this system and observe outcomes.
“We predict that this work has super defensive potential. Discovering vulnerabilities in software program earlier than it is even launched, implies that there is no scope for attackers to compete: the vulnerabilities are mounted earlier than attackers also have a likelihood to make use of them,” Google stated.
The corporate, nevertheless, additionally emphasised that these are nonetheless experimental outcomes, including “the place of the Massive Sleep staff is that at current, it is doubtless {that a} target-specific fuzzer can be no less than as efficient (at discovering vulnerabilities).”
