Google researchers discover first vulnerability using AI

Google researchers announced a breakthrough in cybersecurity, revealing they have discovered the first vulnerability using a large language model. This vulnerability, identified as an exploitable memory-safety issue in SQLite—a widely used open-source database engine—marks a significant milestone, as it is believed to be the first public instance of an AI tool uncovering a previously unknown flaw in real-world software.

The vulnerability was reported to SQLite developers in early October, who promptly addressed the issue on the same day it was identified. Notably, the bug was discovered before being included in an official release, ensuring that SQLite users were unaffected. Google emphasised this development as a demonstration of AI’s significant potential for enhancing cybersecurity defences.

The initiative is part of a collaborative project called Big Sleep, which involves Google Project Zero and Google DeepMind, stemming from previous efforts focused on AI-assisted vulnerability research.

Many companies, including Google, typically employ a technique known as ‘fuzzing,’ where software is tested by inputting random or invalid data to uncover vulnerabilities. However, Google noted that fuzzing often needs to improve in identifying hard-to-find bugs. The researchers expressed optimism that AI could help bridge this gap. ‘We see this as a promising avenue to achieve a defensive advantage,’ they stated.

The identified vulnerability was particularly intriguing because it was missed by existing testing frameworks, including OSS-Fuzz and SQLite’s internal systems. One of the key motivations behind the Big Sleep project is the ongoing challenge of vulnerability variants, with more than 40% of zero-day vulnerabilities identified in 2022 being variants of previously reported issues.