Reactive and proactive security: The tool takes both reactive and proactive approaches to code security, Google DeepMind said. Reactively, it instantly patches new vulnerabilities. Proactively, it rewrites and secures existing code to eliminate entire classes of vulnerabilities.In one proactive example, Google DeepMind deployed CodeMender to apply -fbounds-safety annotations to parts of libwebp, a widely used image compression library. When -fbounds-safety annotations are applied, the compiler adds bounds checks to prevent attackers from exploiting buffer overflow or underflow vulnerabilities to execute arbitrary code.The company pointed to CVE-2023-4863, a heap buffer overflow vulnerability in libwebp that was used by a threat actor as part of a zero-click iOS exploit. With -fbounds-safety annotations, this vulnerability would have been rendered unexploitable, Google DeepMind said in the blog post.
Human review is still required: While Google DeepMind described early results with CodeMender as promising, the company said it is taking a cautious approach focused on reliability. Currently, all patches generated by CodeMender are reviewed by human researchers before being submitted upstream, the researchers added in the post.Using CodeMender, Google DeepMind said it has already begun submitting patches to various critical open-source libraries, many of which have already been accepted and upstreamed. The company said it is gradually ramping up the process to ensure quality and systematically address feedback from the open-source community. Google DeepMind said it will gradually reach out to interested maintainers of critical open source projects with CodeMender-generated patches. Besides, it hopes to release CodeMender as a tool that can be used by all software developers to keep their codebases secure, and plans to publish technical papers and reports detailing techniques and results in the coming months, the company said in the blog post.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4068774/google-deepmind-launches-an-ai-agent-to-fix-code-vulnerabilities-automatically.html
