Google announced the discovery of a zero-day vulnerability in its SQLite open source database engine, which uses the Large Language Model (LLM) support framework called Big Sleep (formerly Project Naptime).
The tech giant described the development as the “first real-world vulnerability” discovered using an artificial intelligence (AI) agent.
In a blog post shared with The Hacker News, the Big Sleep team said, “This is an AI agent discovering a previously unknown exploitable memory safety issue in widely used real-world software. “We believe this is the first public example.”
The vulnerability in question is a stack buffer underflow in SQLite. This occurs when the software references a memory location prior to the beginning of the memory buffer, causing a crash or execution of arbitrary code.
According to the Common Weakness Enumeration, “This typically occurs when a pointer or its index is decremented to a position before the buffer, when the result of an operation on the pointer is before the beginning of valid memory locations, or when a negative Occurs when an index is used.” (CWE) Bug class description.
Following responsible disclosure, this deficiency has been resolved as of early October 2024. It is worth noting that this flaw was discovered in the development branch of the library, meaning it was flagged before it was officially released.
Project Naptime was first detailed by Google in June 2024 as a technical framework for improving automated vulnerability discovery approaches. It later evolved into Big Sleep as part of a broader collaboration between Google Project Zero and Google DeepMind.
The idea of Big Sleep is to leverage LLM’s code understanding and reasoning capabilities to leverage AI agents to simulate human behavior when identifying and demonstrating security vulnerabilities.
This includes a set of specialized tools that allow the agent to navigate through the target codebase, run Python scripts in a sandbox environment to generate input for fuzzing, and debug the program to observe the results. must be used.
“We believe this effort has tremendous defensive potential. Finding vulnerabilities before software is released means attackers have no room to compete. “Vulnerabilities are fixed before an attacker has a chance to use them,” Google said.
However, the company also emphasized that these are still experimental results, saying, “At this point, the Big Sleep team’s opinion is that target-specific fuzzers are likely to be at least as effective (in discovering vulnerabilities). It’s an opinion,” he added.