Recently, Heather Adkins, Vice President of Security at Google, announced at an event that Big Sleep, an AI-driven vulnerability researcher developed by Google, has identified and reported 20 security vulnerabilities in several popular open-source software.
These vulnerabilities mainly appear in projects such as the audio and video processing library FFmpeg and the image processing software ImageMagick. Big Sleep was developed jointly by Google's artificial intelligence department, DeepMind, and its top hacker team, Project Zero.
Although these vulnerabilities have not been fixed yet, Google has not provided detailed information about the specific impact or severity of the vulnerabilities, which is a common practice during the waiting period for fixes. However, the fact that Big Sleep discovered the vulnerabilities is significant, marking the beginning of practical effectiveness for AI-based security detection tools.
Kimberly Samra, a Google spokesperson, stated that to ensure the quality and operability of the vulnerability reports, human experts will be involved in the review before the report is released. However, each vulnerability discovery and reproduction is independently completed by the AI without any human intervention. Royal Hansen, Vice President of Engineering at Google, pointed out on the social platform X that this discovery marks a "new advancement" in the field of automated vulnerability discovery, indicating that tools based on large language models (LLMs) are now capable of effectively identifying and discovering security vulnerabilities.
In addition to Big Sleep, Google has also developed other AI-based vulnerability hunters, such as RunSybil and XBOW. XBOW has performed well on the vulnerability bounty platform HackerOne and has attracted widespread media attention. However, during the process of reporting vulnerabilities, many project maintainers have mentioned that sometimes they receive false reports, even referring to them as "AI spam for vulnerability bounty programs." Despite these issues, Vlad Ionescu, co-founder and CTO of RunSybil, emphasized that Big Sleep is a "legitimate" project, supported by experienced Project Zero and the powerful DeepMind team.
Overall, this development demonstrates the potential of AI in the field of cybersecurity, although it also reveals some shortcomings. The future still requires continuous improvement and refinement.
Key Points:
🌐 Big Sleep successfully found 20 security vulnerabilities, mainly in open-source software such as FFmpeg and ImageMagick.
🔍 AI tools have made new progress in the field of vulnerability discovery, showing their practical application potential.
👥 Human review ensures the quality of reports, and AI still requires the participation and verification of human experts.