Unpatched software vulnerabilities have long been a chronic cybersecurity pain point, leading to costly data breaches every year.
The problem: Organizations don't patch software flaws as quickly as threat actors find and exploit them.
A potential solution: Generative AI. Some cybersecurity experts believe GenAI can help close that gap by not just finding bugs, but also fixing them.
In internal experiments, Google's large language model has already achieved modest but significant success, remediating 15% of simple software bugs it targeted.
In a presentation at RSA Conference 2024, Elie Bursztein, cybersecurity technical and research lead at Google DeepMind, said his team is actively testing various AI security use cases, ranging from phishing prevention to incident response.
The ability to use Google's LLM to secure its codebase by finding and patching vulnerabilities - and, ultimately, reducing or eliminating the number of vulnerabilities that require patching - tops their AI security wish list.
In a recent experiment, Bursztein's team compiled 1,000 simple vulnerabilities from within the Google codebase, discovered by sanitizers in C/C++.
They then asked a Gemini-based AI model - similar to Google's publicly available Gemini Pro - to generate and test patches and identify the best ones for human review.
You are a Senior Software Engineer tasked with fixing sanitizer errors.
Please fix the
error originating here.
Engineers reviewed the AI-generated patches - an effort Bursztein described as significant and time-consuming - ultimately approving 15% and adding them to Google's codebase.
In his RSAC presentation, Bursztein said the results of the AI patching experiment suggest Google researchers are on the right track.
In one instance, for example, the LLM correctly identified and fixed a race condition by adding a mutex.
Although the results of the AI patching experiment were promising, Bursztein cautioned that the technology is far from where Google hopes to one day see it - reliably and autonomously fixing 90%-95% of bugs.
The AI seemed better at fixing some types of bugs than others - often those with fewer lines, researchers found.
The validation process for AI-suggested fixes - in which human operators make sure patches address the vulnerabilities in question without breaking anything in production - remains complex and requires manual intervention.
In one instance of problematic behavior, according to Bursztein, the AI commented out to get rid of a bug - but also got rid of the code in the process.
To train the AI out of this behavior requires data sets with thousands of benchmarks, he added, each assessing both whether a vulnerability is fixed and whether program features are kept intact.
Creating these, Bursztein predicted, will be a challenge for the cybersecurity community at large.
These difficulties notwithstanding, he remains optimistic that AI might one day autonomously drive bug discovery and patch management, shrinking vulnerability windows until they all but disappear.
This Cyber News was published on www.techtarget.com. Publication date: Sat, 18 May 2024 08:43:05 +0000