Content
summary Summary

Google Deepmind has launched a new research project using artificial intelligence to detect, fix, and eventually prevent entire classes of software vulnerabilities. According to the company, CodeMender has already delivered dozens of patches to open-source projects.

Ad

Deepmind says it is developing an automated system that scans code for security flaws and can propose or apply fixes on its own. The project, called CodeMender, analyzes source code and independently suggests or implements security patches.

Researchers point to the growing challenge of finding and fixing vulnerabilities, which traditional approaches like fuzzing or static analysis can no longer fully address. Earlier efforts like Big Sleep and OSS-Fuzz showed that AI is capable of discovering new bugs in established programs. CodeMender aims to automate these processes while also verifying the quality of its repairs.

Combined analysis and validation systems

The agent is powered by the Gemini Deep Think language model and combines several techniques: static and dynamic code analysis, differential testing, fuzzing, and SMT solvers. All changes are automatically checked, including by an internal tool that compares the original and modified code and triggers corrections if needed.

Ad
Ad

Video: Google

According to Deepmind, this multi-stage review process ensures that only patches that are both functionally correct and traceable move forward. All suggestions are currently reviewed by human researchers before being merged into software projects.

Working with the open-source community

In a test project, Deepmind says CodeMender identified the root cause of a heap buffer overflow in XML code related to faulty stack management - a problem that could not have been found just from the crash report. In another case, the agent adjusted the lifecycle of C objects in a generative codebase to prevent memory errors.

The software can also proactively secure existing code. For this, Deepmind uses "-fbounds-safety" annotations to enable compiler checks against memory access errors. This method has already been applied to parts of the widely used libwebp library. A previous vulnerability in libwebp (CVE-2023-4863) was exploited in a zero-click iOS attack by NSO Group in 2023. Deepmind says the new compiler protections could mitigate or even prevent such vulnerabilities.

Since launch, CodeMender has contributed more than 70 security fixes to open-source projects, including some with millions of lines of code. All changes are manually reviewed before release. In the long run, Deepmind plans to make the agent available as a tool for developers and to publish further research on its results.

Ad
Ad
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Recommendation
Support our independent, free-access reporting. Any contribution helps and secures our future. Support now:
Bank transfer
Summary
  • Google Deepmind has introduced CodeMender, an AI-driven project that automatically detects, fixes, and helps prevent software vulnerabilities, already delivering more than 70 security patches to open-source projects.
  • CodeMender uses the Gemini Deep Think language model, combining static and dynamic code analysis, fuzzing, differential testing, and SMT solvers, with all changes undergoing a multi-stage validation process and review by human researchers before integration.
  • The system has identified and repaired complex security issues, such as heap buffer overflows and memory errors, and applied new compiler protections to widely used libraries like libwebp, aiming to provide developers with automated tools and share ongoing research results.
Sources
Max is the managing editor of THE DECODER, bringing his background in philosophy to explore questions of consciousness and whether machines truly think or just pretend to.
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.