Google has recently announced that its latest AI model, "Big Sleep," has successfully identified a memory safety vulnerability in the SQLite database. This vulnerability is an exploitable stack buffer underflow issue, allowing the code to be fixed before its official release. Big Sleep is a collaborative effort between Google's Project Zero and DeepMind, considered an upgraded version of the earlier Project Naptime.
As an open-source database engine, this vulnerability in SQLite could enable attackers to cause SQLite to crash or even execute arbitrary code through maliciously constructed databases or SQL injection. Specifically, the issue stems from the unexpected use of the magic value -1 as an array index. Although the code includes an assert() to catch this issue, the debugging-level checks are removed in the release version.
Google pointed out that exploiting this vulnerability is not straightforward; however, more importantly, this marks the first time AI has discovered a known vulnerability in real-world software. According to Google, traditional fuzzing methods failed to find this problem, but Big Sleep did. After analyzing a series of commits to the project's source code, Big Sleep identified the vulnerability in early October and it was fixed on the same day.
In its announcement on November 1, Google stated that this research has significant potential in defense. While fuzzing has proven effective, the Google team believes a new approach is needed to help developers find vulnerabilities that are difficult to detect through fuzzing, and they are optimistic about AI's capabilities in this area.
Prior to this, Seattle-based Protect AI had also released an open-source tool called Vulnhuntr, claiming to use Anthropic's Claude AI model to discover zero-day vulnerabilities in Python codebases. However, the Google team emphasized that these two tools serve different purposes, with Big Sleep focusing on memory safety-related vulnerabilities.
Currently, Big Sleep remains in the research phase, previously tested mainly on small programs with known vulnerabilities. This marks its first experiment in a real-world environment. To conduct the test, the research team gathered several recent commits to the SQLite codebase, analyzed them, adjusted the model's prompts, and ultimately identified the vulnerability.
Despite this achievement, the Google team reminds us that these results are still in the highly experimental stage, and targeted fuzzing may be equally effective in discovering vulnerabilities.
Key Points:
🔍 ** Google's AI model Big Sleep discovers a memory safety vulnerability in SQLite for the first time.**
🛠️ ** The vulnerability was fixed before the official release, marking a new advancement in AI's capability for vulnerability discovery.**
📊 ** Despite the success, Google emphasizes that the current results are still experimental, and fuzzing remains effective.**