Google’s Big Sleep AI model becomes world first with discovery of SQLite security vulnerability

Google LLC said today it has discovered a previously unknown artificial intelligence vulnerability that it claims is a world first and could mark the beginning of the use of AI at the forefront of security vulnerability detection.

The vulnerability, a buffer overflow issue in SQLite, was discovered using a large language model called “Big Sleep,” created as a collaboration between Google Project Zero and DeepMind.

The Big Sleep model uses advanced variant analysis techniques—techniques that involve using information about previously discovered vulnerabilities to identify similar, potentially exploitable flaws in related sections of code. Using this approach, Big Sleep discovered a flaw that had eluded traditional fuzzing methods, which involve automatically generating and testing large volumes of random or semi-random input to a program to identify bugs or vulnerabilities by observing unexpected failures or behavior.

The system works by first looking for specific changes in the code base, such as commit messages and differencesto identify areas of potential concern. The model then analyzes these sections using pre-trained knowledge of code patterns and past vulnerabilities, allowing it to pinpoint subtle flaws that might be missed by conventional testing tools.

During its analysis, Big Sleep discovered an issue in the SQLite “seriesBestIndex” function that prevented it from properly handling edge cases involving negative indexes that could result in a write operation outside its intended memory bounds, creating a potential exploit. The AI ​​identified the vulnerability by simulating real-life use cases and learning how different inputs interact with the vulnerable code.

In addition, Big Sleep also conducted root cause analysis, not only identifying vulnerabilities but also understanding the underlying issues that lead to them. According to Google, this feature will allow developers to solve the underlying problem and therefore reduce the likelihood of similar vulnerabilities occurring in the future.

Interestingly, the vulnerability was discovered before it could be exploited in an official release, perhaps demonstrating the effectiveness of AI in proactive defense.

“We hope that in the future these efforts will provide a significant benefit to defenders – as the ability to not only find instances of testing failures, but also provide high-quality root cause analysis, triage and fix problems can be much cheaper and more expensive. effective in the future,” the Big Sleep team wrote in their post. blog post.

Image: SiliconANGLE/Ideogram