Is AI-Driven 0-Day Detection Here? (zeropath.com)
(Saturday November 02, 2024 @06:53PM (EditorDavid)
from the rise-of-the-machines dept.)
- Reference: 0175382793
- News link: https://it.slashdot.org/story/24/11/02/2150233/is-ai-driven-0-day-detection-here
- Source link: https://zeropath.com/blog/0day-discoveries
"AI-driven 0-day detection is here," argues [1]a new blog post from ZeroPath , makers of [2]a GitHub app that "detects, verifies, and issues pull requests for security vulnerabilities in your code."
They write that AI-assisted security research "has been quietly advancing" since early 2023, when researchers at the DARPA and ARPA-H's [3]Artificial Intelligence Cyber Challenge demonstrated the first practical applications of LLM-powered vulnerability detection — with new advances continuing. "Since July 2024, ZeroPath's tool has uncovered critical zero-day vulnerabilities — including remote code execution, authentication bypasses, and insecure direct object references — in popular AI platforms and open-source projects." And they ultimately identified security flaws in projects owned by Netflix, Salesforce, and Hulu by "taking a novel approach combining deep program analysis with adversarial AI agents for validation. Our methodology has uncovered numerous critical vulnerabilities in production systems, including several that traditional Static Application Security Testing tools were ill-equipped to find..."
> TL;DR — most of these bugs are simple and could have been found with a code review from a security researcher or, in some cases, scanners. The historical issue, however, with automating the discovery of these bugs is that traditional SAST tools rely on pattern matching and predefined rules, and miss complex vulnerabilities that do not fit known patterns (i.e. business logic problems, broken authentication flaws, or non-traditional sinks such as from dependencies). They also generate a high rate of false positives.
>
> The beauty of LLMs is that they can reduce ambiguity in most of the situations that caused scanners to be either unusable or produce few findings when mass-scanning open source repositories... To do this well, you need to combine deep program analysis with an adversarial agents that test the plausibility of vulnerabilties at each step. The solution ends up mirroring the traditional phases of a pentest — recon, analysis, exploitation (and remediation which is not mentioned in this post)...
>
> AI-driven vulnerability detection is moving fast... What's intriguing is that many of these vulnerabilities are pretty straightforward — they could've been spotted with a solid code review or standard scanning tools. But conventional methods often miss them because they don't fit neatly into known patterns. That's where AI comes in, helping us catch issues that might slip through the cracks.
"Many vulnerabilities remain undisclosed due to ongoing remediation efforts or pending responsible disclosure processes," according to the blog post, which includes a pie chart showing the biggest categories of vulnerabilities found:
53%: Authorization flaws, including roken access control in API endpoints and unauthorized Redis access and configuration exposure. ("Impact: Unauthorized access, data leakage, and resource manipulation across tenant boundaries.")
26%: File operation issues, including directory traversal in configuration loading and unsafe file handling in upload features. ("Impact: Unauthorized file access, sensitive data exposure, and potential system compromise.")
16%: Code execution vulnerabilities, including command injection in file processing and unsanitized input in system commands. ("Impact: Remote code execution, system command execution, and potential full system compromise.")
The company's CIO/cofounder was "former Red Team at Tesla," according to the [4]startup's profile at YCombinator, and earned over $100,000 as a bug-bounty hunter. (And another co-founded is a former Google security engineer.)
Thanks to Slashdot reader [5]Mirnotoriety for sharing the article.
[1] https://zeropath.com/blog/0day-discoveries
[2] https://www.ycombinator.com/launches/LOk-zeropath-autonomous-vulnerability-patching
[3] https://aicyberchallenge.com/
[4] https://www.ycombinator.com/companies/zeropath
[5] https://www.slashdot.org/~Mirnotoriety
They write that AI-assisted security research "has been quietly advancing" since early 2023, when researchers at the DARPA and ARPA-H's [3]Artificial Intelligence Cyber Challenge demonstrated the first practical applications of LLM-powered vulnerability detection — with new advances continuing. "Since July 2024, ZeroPath's tool has uncovered critical zero-day vulnerabilities — including remote code execution, authentication bypasses, and insecure direct object references — in popular AI platforms and open-source projects." And they ultimately identified security flaws in projects owned by Netflix, Salesforce, and Hulu by "taking a novel approach combining deep program analysis with adversarial AI agents for validation. Our methodology has uncovered numerous critical vulnerabilities in production systems, including several that traditional Static Application Security Testing tools were ill-equipped to find..."
> TL;DR — most of these bugs are simple and could have been found with a code review from a security researcher or, in some cases, scanners. The historical issue, however, with automating the discovery of these bugs is that traditional SAST tools rely on pattern matching and predefined rules, and miss complex vulnerabilities that do not fit known patterns (i.e. business logic problems, broken authentication flaws, or non-traditional sinks such as from dependencies). They also generate a high rate of false positives.
>
> The beauty of LLMs is that they can reduce ambiguity in most of the situations that caused scanners to be either unusable or produce few findings when mass-scanning open source repositories... To do this well, you need to combine deep program analysis with an adversarial agents that test the plausibility of vulnerabilties at each step. The solution ends up mirroring the traditional phases of a pentest — recon, analysis, exploitation (and remediation which is not mentioned in this post)...
>
> AI-driven vulnerability detection is moving fast... What's intriguing is that many of these vulnerabilities are pretty straightforward — they could've been spotted with a solid code review or standard scanning tools. But conventional methods often miss them because they don't fit neatly into known patterns. That's where AI comes in, helping us catch issues that might slip through the cracks.
"Many vulnerabilities remain undisclosed due to ongoing remediation efforts or pending responsible disclosure processes," according to the blog post, which includes a pie chart showing the biggest categories of vulnerabilities found:
53%: Authorization flaws, including roken access control in API endpoints and unauthorized Redis access and configuration exposure. ("Impact: Unauthorized access, data leakage, and resource manipulation across tenant boundaries.")
26%: File operation issues, including directory traversal in configuration loading and unsafe file handling in upload features. ("Impact: Unauthorized file access, sensitive data exposure, and potential system compromise.")
16%: Code execution vulnerabilities, including command injection in file processing and unsanitized input in system commands. ("Impact: Remote code execution, system command execution, and potential full system compromise.")
The company's CIO/cofounder was "former Red Team at Tesla," according to the [4]startup's profile at YCombinator, and earned over $100,000 as a bug-bounty hunter. (And another co-founded is a former Google security engineer.)
Thanks to Slashdot reader [5]Mirnotoriety for sharing the article.
[1] https://zeropath.com/blog/0day-discoveries
[2] https://www.ycombinator.com/launches/LOk-zeropath-autonomous-vulnerability-patching
[3] https://aicyberchallenge.com/
[4] https://www.ycombinator.com/companies/zeropath
[5] https://www.slashdot.org/~Mirnotoriety
No. (Score:3)
by gweihir ( 88907 )
This is just the usual over-promising the AI proponents like to do to push their crap. Sure, there may be some demos, but the fact of the matter is that this will not work reliably. And that is before attackers adjust to it. In addition, the "vulnerabilities discovered" metric is completely bogus and worthless. It dos sound good to the clueless though. What you actually need is a "vulnerabilities not discovered" metric and then you need to add weights to each one to express severity, similar to, for example, the OWASP Top 10.
Re: (Score:2)
by alvinrod ( 889928 )
I thInk it does illustrate how overhyped and oversold AI is that the companies hawking it are going to such bullshit extremes to try to earn any kind of actual money they can. There are probably a few different use cases or even actual business uses for current AI, but it's still not quite "there" yet. For everyone who thinks we are there, recall how impressive the ELIZA program was at the time of release. The new crop of AI is mostly suited to helping people who can't draw or use Photoshop make shit posts
Run it on a very large code base + human checks (Score:2)
Would like to see this prove itself out by running on the many of hundreds of infrastructure, plumbing, and common programs in use with human review of all findings and a false positive and severity rating report generated.
And then check it by language which has the most AI found and human verified critical bugs and exploits.
Would like to see a most secure language ranking estimate based on a 10,000,000 line sample of production code and not the 'promises by language design' security since security also inc