Google’s New AI Tool Uncovers Critical Zero-Day Vulnerability in SQLite
As cyber threats grow more sophisticated, the need for innovative tools to enhance vulnerability detection has never been greater. Cybersecurity companies like Palo Alto, Fortinet, and CrowdStrike have responded by incorporating AI to enhance their threat detection capabilities.
A new cybersecurity innovation has emerged from an unexpected source. Google claims that it has used a large language model (LLM) agent called “Big Sleep” to discover a previously unknown, exploitable memory flaw in SQLite database – a widely used open-source database engine.
Developed in collaboration between Google’s Project Zero and DeepMind, Big Sleep was able to detect a zero-day vulnerability in the SQLite database. The tool identified a flaw in the code where a special pattern used in SQLite’s ‘ROWID’ column wasn’t properly managed. This oversight allowed a negative index to be written into a stack buffer, resulting in a significant security vulnerability.
The bug-hunting AI tool is designed to go beyond traditional techniques like fuzzing, which is an automated software testing method that introduces invalid, random or unexpected inputs into a system to uncover vulnerabilities. While fuzzing works great to identify simple bugs, LLM-powered tools have the potential to offer more sophisticated analysis by understanding the deeper logic of the code.
Google deployed Big Sleep to analyze the recent changes to the SQLite source code. The tool reviewed the alterations through a tailored prompt and ran Python scripts within a sandboxed environment. During this process, Big Sleep identified a flaw in the code where a negative index, “-1,” was incorrectly used. If left unchecked this flaw could have allowed for unstable behavior or arbitrary code execution.
“We think that this work has tremendous defensive potential, “ shared the Project Zero team at Google. “Finding vulnerabilities in software before it’s even released, means that there’s no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them.”
“Fuzzing has helped significantly, but we need an approach that can help defenders to find the bugs that are difficult (or impossible) to find by fuzzing, and we’re hopeful that AI can narrow this gap. We think that this is a promising path towards finally turning the tables and achieving an asymmetric advantage for defenders.”
Earlier this month, Google shared that its LLM-assisted security vulnerability research framework Project Naptime has evolved in Big Sleep. This week’s announcement that Big Sleep has been used to identify a critical vulnerability marks a significant milestone in the integration of AI into cybersecurity practices.
The existing testing infrastructure for SQLite, including the project’s own infrastructure and OSS-Fuzz, could not find the issue. The flaw in the pre-release version was identified by the Project Zero team using Big Sleep, and they promptly notified the SQLite team. The vulnerability was patched the same day, preventing any potential exploitation.
This is not the first time that an AI-powered tool has discovered flaws in software. In August, an LLM program named Atlantis identified a different bug in SQLite. Machine learning (ML) models have been used for years to also find potential vulnerabilities in software code.
According to Google, Big Sleep is the first step to building a sophisticated tool capable of mimicking the workflow of human security researchers when analyzing software code. Google named Project Naptime as a reference to the ability of the tool to allow its human researchers to “take regular naps” on the job.
Google acknowledged that the discovery took place in a “highly experimental” environment, and while a “target-specific fuzzer” could have also detected the issue, Big Sleep’s potential goes beyond that. The developers hope that over time, Big Sleep will evolve into a more accessible and scalable tool that identifies vulnerabilities more efficiently compared to other tools. Google plans on sharing its research to help fill the fuzzing gap and democratize the bug detection process.
Related Items
Weighing Your Data Security Options for GenAI
Cloud Security Alliance Introduces Comprehensive AI Model Risk Management Framework
GenAI Is Putting Data in Danger, But Companies Are Adopting It Anyway