Google DeepMind tackles software vulnerabilities with AI agent

Google's DeepMind artificial intelligence (AI) division has published details of its CodeMender vulnerability finding agent, which is designed to automatically identify and patch security flaws in code.

CodeMender is an effort to help developers keep pace with fixing vulnerabilities and patches for them through using AI, which is becoming better at finding security flaws as time goes on.

The agent is able to equip itself with tools needed to reason about code, before making changes.

Changes are then automatically validated, to prevent regressions, so as to avoid introducing new problems and following style guidelines to aid human reviews of patches.

Google DeepMind said that patches are subject to human reviews before being submitted.

CodeMender uses recent Gemini Deep Think models to create an autonomous agent that can debug code, and sort out complex vulnerabilities it finds.

DeepMind said CodeMender has contributed 72 security fixes to open-source projects over the past six months.

This includes codebases as large as 4.5 million lines, DeepMind said.

As an example of its capabilities, DeepMind said CodeMender found a non-obvious bug in memory heap buffer overflow case that turned out to be wrong stack management of extensible markup language (XML) elements during parsing of files. 

A popular image compression code library, libwebp, was also annotated in parts using CodeMender to force code compilers to include bounds checks, which prevent buffer overflows that are commonly used in exploits.

DeepMind said that if the compiler flag had been added earlier, a 2023 libwebp vulnerability exploited by a threat actor as part of an Apple iOS zero-day bug would not have worked.

Google will ask open-source project maintainers for feedback on the AI generated patches it has submitted and use that for developing CodeMender further before the tool is released to a broader audience.

Detailed technical papers on CodeMender are in the works too, DeepMind said.

AI is increasingly used by Google in a security context.

In August this year, Google DeepMind said its Big Sleep tool, also built on the Gemini LLM, had found multiple vulnerabilities in open-source software.

At the end-user level, Google said it intends to bring in AI-powered ransomware detection for the Workspace productivity suite, a security feature aimed at stopping such malware from corrupting files stored in users' Drive cloud storage.