Get a demo

Voyager18 (research)

Google's AI tool Big Sleep finds zero-day vulnerability in SQLite database engine

Google has announced that an AI-powered agent has successfully discovered a previously unknown zero-day security vulnerability in widely used real-world software. This marks the first public instance of an AI system identifying a critical flaw, showcasing the potential of artificial intelligence in uncovering vulnerabilities that were previously only detectable by human researchers.

Yair Divinsky | November 6, 2024

In a groundbreaking achievement that could redefine cybersecurity practices, Google has announced that an AI-powered agent has successfully discovered a previously unknown zero-day security vulnerability in widely used real-world software. This marks the first public instance of an AI system identifying a critical flaw, showcasing the potential of artificial intelligence in uncovering vulnerabilities that were previously only detectable by human researchers. 

This blog post dives deep into the details of the Big Sleep project, the vulnerability it uncovered, and the future of AI in cybersecurity

What is Google’s Big Sleep AI tool new Zero-Day vulnerability in SQLite database engine?

Google has announced the discovery of a zero-day vulnerability in the widely-used SQLite database engine using its artificial intelligence (AI)-powered framework, Big Sleep. This marks a significant milestone as it is the first known instance of an AI agent finding a previously unknown, exploitable memory-safety issue in real-world software. This vulnerability was discovered before it could be exploited in the wild, showcasing the promising potential of AI-driven security research. 

The discovery was made by Big Sleep, a collaboration between Google’s Project Zero and DeepMind, who combined their expertise in cybersecurity and AI to create a large language model-powered agent capable of identifying exploitable vulnerabilities in widely used software. In this case, the AI agent found an exploitable stack buffer underflow in SQLite, an open-source database engine utilized across many platforms. 

The discovery: Zero-Day vulnerability in SQLite

In an announcement made on November 1, 2024, the Big Sleep team revealed that their AI tool had discovered a stack buffer underflow vulnerability in SQLite, an open-source database engine used by countless applications, services, and devices globally. The vulnerability was identified in early October 2024, well before it appeared in an official release of SQLite, meaning it was not yet available to attackers. 

A stack buffer underflow occurs when a program accesses a memory location that is outside the bounds of an allocated memory buffer. This can lead to a crash or, more dangerously, arbitrary code execution, which could be exploited by attackers to compromise systems. Typically, such vulnerabilities arise when pointer arithmetic (such as decrementing a pointer or using negative indexes) leads to memory being accessed in an invalid or unintended location. 

Project Zero’s blog explains that the vulnerability was reported to the SQLite development team on the same day it was discovered, allowing them to patch the flaw quickly and preventing any potential exploits from occurring.

What is Big Sleep?

Big Sleep is an advanced AI framework developed by Google Project Zero in collaboration with Google DeepMind. Initially introduced as Project Naptime in 2024, the project has evolved into Big Sleep, a system designed to leverage large language models (LLMs) for security vulnerability detection in widely used software. 

At its core, Big Sleep combines the sophisticated capabilities of LLMs – specifically trained to understand and reason about code – with a suite of specialized tools to simulate human-like vulnerability research. The goal is to automate the process of vulnerability discovery, making it faster, more accurate, and more efficient than traditional methods. 

By simulating how a human would interact with code, Big Sleep can navigate codebases, identify potential weaknesses, and even generate inputs to trigger vulnerabilities in software, all without direct human intervention. 

AI could be the future of Fuzzing: How Big Sleep works

The Big Sleep team used their AI agent to perform security vulnerability research by utilizing fuzzing and code comprehension techniques. Fuzzing is a method of testing software by inputting random or semi-random data into the program to trigger crashes or unexpected behavior. While traditional fuzzing tools are effective, they often miss vulnerabilities that require more intelligent, nuanced analysis. This is where Big Sleep comes in. 

Big Sleep enhances fuzzing by incorporating an LLM’s code understanding and reasoning capabilities. Here’s how it works: 

  1. Code Navigation – Big Sleep’s AI agent can explore and navigate the target codebase, understanding the logical flow of the software. 
  2. Input Generation – It runs Python scripts in a sandboxed environment to generate inputs for fuzzing. These inputs are carefully crafted to explore edge cases and potential security weaknesses that standard fuzzers may overlook. 
  3. Debugging and Observing Results – The agent can debug the program and analyze the results of its tests, refining its approach based on what it finds. 

While the Big Sleep team’s results are still in the early experimental stages, they are optimistic about the future. They believe that AI-powered agents will eventually surpass traditional fuzzers in their ability to find vulnerabilities. Moreover, these AI agents could assist in more than just finding flaws – they could help provide root-cause analysis, triage issues, and even propose fixes. 

The potential to streamline and enhance vulnerability management could make security processes much more efficient and cost-effective in the future. Through this process, Big Sleep can detect vulnerabilities that might be difficult or impossible for human researchers or traditional fuzzing tools to spot.

Big Sleep’s potential: AI as the future of vulnerability research

The discovery of the SQLite vulnerability is just the beginning. Google’s Big Sleep team believes that this technology has the potential to revolutionize vulnerability discovery in the coming years. The ability to find vulnerabilities before software is even released means that these weaknesses can be patched proactively, reducing the window of opportunity for attackers. 

Currently, Big Sleep is still in the experimental phase, and the team admits that its effectiveness is comparable to that of target-specific fuzzers. However, the long-term potential of Big Sleep is immense. Here’s why: 

  • Proactive Vulnerability Discovery – By identifying vulnerabilities during development, software developers can address security issues before the software is made public, reducing the risk of exploitation. 
  • Faster and More Efficient Patch Development – The AI agent can automate parts of the vulnerability triage process, helping developers identify root causes faster and with more precision. This could lead to faster patching and cheaper remediation costs. 
  • Improved Vulnerability Scanning – Over time, Big Sleep could enhance vulnerability scanning by improving its ability to detect even the most elusive bugs that traditional tools cannot find. 

While there is still much work to be done, the promise of AI-driven security tools is undeniable, and the Big Sleep project represents one of the most advanced steps in this direction. 

Challenges and Limitations of AI in Cybersecurity

As with any new technology, there are challenges and potential risks to consider. While AI tools like Big Sleep offer a revolutionary approach to vulnerability discovery, they are not without their limitations: 

  • Experimental Nature – Big Sleep’s results are still considered highly experimental, and while it found a significant vulnerability, it is not yet a mature tool that can replace traditional methods. 
  • Dependence on Training Data AI models are only as good as the data they are trained on. Big Sleep’s performance depends on the quality and diversity of the codebases it has been exposed to. 
  • False Positives AI-driven tools may flag vulnerabilities that aren’t actual security issues, leading to wasted resources in investigating and remediating non-issues. 
  • Ethical Considerations: As AI begins to play a larger role in cybersecurity, questions around data privacy, bias in models, and the ethics of autonomous decision-making in security research will need to be addressed. 

The collaboration between Google Project Zero and Google DeepMind has shown that AI can play a critical role in improving security research. By automating the process of vulnerability discovery and providing insights that traditional methods cannot, tools like Big Sleep may soon become invaluable assets in the cybersecurity toolkit. 

As AI-powered security tools continue to evolve, they will likely become increasingly adept at identifying vulnerabilities with greater precision and speed. However, their true value will come from the combination of AI and human expertise. The future of cybersecurity may very well be a hybrid approach, where AI augments human efforts, helping us stay one step ahead of attackers. 

For now, Big Sleep’s discovery of the SQLite vulnerability is a promising glimpse into the future of security research. As the tool matures, it could become an essential part of the cybersecurity landscape, making it harder for attackers to exploit vulnerabilities before they are fixed. 

The flip side of AI Is seen In Deepfake Security Threats

 While AI’s role in cybersecurity shows immense promise, it also has a darker side. Deepfakes -manipulated videos or audio that use AI to convincingly simulate real people – pose a significant security threat. AI’s ability to generate realistic but fake content has already been used in various attacks, including a recent case involving a Gmail user.

Research into deepfake technology has revealed that it can influence public opinion, manipulate reputations, and even impact political events. In a recent study by VPNRanks, 50% of respondents reported encountering deepfake videos online multiple times. The research also found that 74% of people are extremely concerned about deepfakes being used to manipulate political or social opinions, with 65.7% fearing that deepfakes released during election campaigns could sway voter decisions.

Furthermore, deepfakes present a growing threat to identity security, with predictions suggesting that global deepfake-related identity fraud attempts could reach 50,000 by 2025. The potential for deepfakes to interfere with elections and undermine the integrity of democracy is a real concern, and social media platforms are urged to take action by removing non-consensual deepfake content immediately.

Conclusion

Google’s Big Sleep has opened a new frontier in AI-driven cybersecurity research, marking the first public example of an AI agent discovering a zero-day vulnerability in real-world software. The stack buffer underflow vulnerability in SQLite highlights not only the power of AI in finding previously unknown flaws but also the potential to shift the balance in the ongoing battle between defenders and attackers. 

As Big Sleep continues to evolve, the security industry is watching closely to see how AI can further transform the landscape of vulnerability discovery, patching, and overall software security. The future is certainly bright for AI in cybersecurity, and this discovery is just the beginning.

Further reading

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q3 2024 Vulnerability Watch
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Vulnerability disclosure policy (and how to get it right)
  5. How to properly tackle zero-day threats

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.

View more
Accept
Decline

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management