1. Forum
  2. tqw
  3. TQW GENTECH

  • One of Google's "big AI" projects uncovered some serious security

    From TechnologyDaily@1337:1/100 to All on Tuesday, November 05, 2024 12:30:04
    One of Google's "big AI" projects uncovered some serious security threats seeminlgy all on its own

    Date:
    Tue, 05 Nov 2024 12:21:43 +0000

    Description:
    Google's Big Sleep AI discovered an unfuzzable vulnerability within SQLite.

    FULL STORY ======================================================================Project Zero and DeepMind "big AI" uncovers security vulnerabilities Big Sleep finds
    a SQLite stack buffer underflow flaw before official release AI could revolutionize software development by discovering critical flaws

    A collaborative big AI project between Google Project Zero and Google
    DeepMind has discovered a critical vulnerability in a piece of software
    before public release.

    The Big Sleep AI agent was set to work analyzing the SQLite open source database engine, where it discovered a stack buffer underflow flaw which was subsequently patched the same day.

    This discovery potentially marks the first ever time an AI has uncovered a memory-safety flaw in a widely used application. Fuzzed software out-fuzzed
    by AI

    Big Sleep found the stack buffer underflow vulnerability in SQLite which had been fuzzed multiple times.

    Fuzzing is an automated software testing method that can discover potential flaws or vulnerabilities such as memory safety issues that are typically exploited by attackers. However, it is not a foolproof method of
    vulnerability hunting, and a fuzzed vulnerability that is found and patched could also exist as a variant elsewhere in the software and go undiscovered.

    The methodology used by Google in this instance was to provide a previously patched vulnerability as a starting point for the Big Sleep agent, and then set it loose hunting for similar vulnerabilities elsewhere in the software.

    While hunting for a similar vulnerability, Big Sleep encountered a vulnerability and traced the steps it took to recreate the vulnerability in a test case, gradually narrowing down the potential causes to a single issue
    and generating an accurate summary of the vulnerability.

    Google Project Zero points out that the bug wasnt previously spotted using traditional fuzzing techniques as the fuzzing harness was not configured to access the same extensions. However, when fuzzing was re-run with the same configurations, the vulnerability remained undiscovered despite 150 CPU-hours of fuzzing.

    We hope that in the future this effort will lead to a significant advantage
    to defenders - with the potential not only to find crashing testcases, but also to provide high-quality root-cause analysis, triaging and fixing issues could be much cheaper and more effective in the future, the Big Sleep team said. We aim to continue sharing our research in this space, keeping the gap between the public state-of-the-art and private state-of-the-art as small as possible.

    The full testing methodology and vulnerability discovery details can be found here . You might also like These are the best business VPNs Proton VPN lands on next-generation Windows devices Take a look at our guide to the best antivirus



    ======================================================================
    Link to news story: https://www.techradar.com/pro/one-of-googles-big-ai-projects-uncovered-some-se rious-security-threats-seeminlgy-all-on-its-own


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)