Big Sleep, an AI model developed by Google Project Zero in collaboration with DeepMind, successfully discovered and fixed a memory security vulnerability in the SQLite database. This is the first time that AI has discovered known vulnerabilities in real-world software, marking a major breakthrough in AI in the field of software security. By analyzing the SQLite code base, Big Sleep discovered stack buffer underflow vulnerabilities that were not detected by traditional fuzzing tests before, and helped the development team to fix it in time, avoiding potential security risks. This achievement demonstrates the huge potential of AI in assisting software security detection and provides a new direction for future software security research.
Google recently announced that its latest AI model "Big Sleep" has successfully discovered a memory security vulnerability in the SQLite database. This vulnerability is an exploitable stack buffer underflow problem, allowing the code to be fixed before it is officially released. Big Sleep is the result of a collaboration between Google Project Zero and DeepMind and is regarded as an upgrade to early Project Naptime.
SQLite, as an open source database engine, may cause attackers to use maliciously constructed databases or SQL injections, causing SQLite execution to crash or even implement arbitrary code execution. Specifically, the problem stems from a magic value -1 being accidentally used as an array index. Although there is assert() in the code to capture this problem, in the release version, this debug level check is removed.
Google pointed out that exploiting this vulnerability is not easy, but more importantly, this is the first time that AI has discovered a known vulnerability in real-world software. According to Google, traditional fuzzing methods fail to find this problem, but Big Sleep does. After a series of commits analyzing the project's source code, Big Sleep locked the vulnerability in early October and was fixed within the same day.
Google said in a Nov. 1 announcement that the research has great potential in defense. While fuzzing has already achieved significant results, the Google team believes that a new approach is needed to help developers discover vulnerabilities that are difficult to find through fuzzing, and they are full of expectations for AI's capabilities in this regard.
Previously, Seattle-based Protect AI also launched an open source tool called Vulnhuntr, claiming that it can exploit Anthropic's Claude AI model to discover zero-day vulnerabilities in the Python code base. However, the Google team stressed that the two tools have different uses, and Big Sleep discovered vulnerabilities related to memory security.
Currently, Big Sleep is still in the research stage and has been tested primarily on small programs with known vulnerabilities. This is the first time he has conducted an experiment in a real environment. For testing, the research team collected several latest submissions of the SQLite code base, and after analysis, adjusted the prompt content of the model, and finally found the vulnerability.
Despite this achievement, the Google team reminds everyone that these results are still in a highly experimental stage, and that current goal-specific fuzz testing may be equally effective in finding vulnerabilities.
Key points:
** Google's AI model Big Sleep discovered SQLite memory security vulnerabilities for the first time. **
** The vulnerability was fixed before its official release, marking new progress in AI in vulnerability discovery. **
** Despite the results, Google emphasized that the current results are still experimental and fuzzing is still valid. **
In short, Big Sleep's successful case demonstrates the potential of AI in the field of software security, but it also reminds us that AI tools are still in the development stage and need to be combined with traditional methods to better play a role. More research is needed in the future to improve. Its reliability and efficiency.