One of Google's important artificial intelligence projects detected serious security threats on its own.
Big Sleep manages to discover security in memory by itself.
A collaborative project between Google Project Zero and Google DeepMind has conducted an analysis that resulted in the detection of a critical vulnerability in software before its public release. The artificial intelligence agent known as Big Sleep was tasked with examining the open-source database engine SQLite and succeeded in identifying a stack buffer underflow flaw, which was fixed on the same day it was discovered. This advancement could set a precedent, as it would mark the first time an artificial intelligence has detected a memory-related security flaw in a widely used application.
During the process, Big Sleep underwent a method called fuzzing, which allows for automated testing of software to search for flaws or vulnerabilities—typically those exploited by attackers. Although fuzzing is a useful technique, it does not guarantee that all issues will be discovered, as a vulnerability found and fixed could exist in other forms within the software, remaining undetected.
Google provided the Big Sleep agent with a previously fixed vulnerability as a starting point to search for similar vulnerabilities within the software. As Big Sleep explored, it was able to reproduce the error in a test case, narrowing the possible causes down to a single issue and formulating an accurate summary of the vulnerability.
The vulnerability had not been detected earlier using traditional fuzzing techniques because the configuration used did not allow access to the same extensions. In fact, when fuzzing was repeated with the correct configuration, the vulnerability remained undiscovered, despite consuming 150 CPU hours in the process.
The Big Sleep team expressed their optimism: "We hope that in the future, this effort will provide a significant advantage to defenders, not only to find test cases that cause failures but also to provide high-quality root cause analysis; thus, the problem management and resolution process could be much more cost-effective and efficient." They also stated their intention to continue sharing their research to bridge the gap between public advancements and private developments in this field.
