Google DeepMind has introduced a new AI agent designed to autonomously detect and fix critical security vulnerabilities in software code. The aptly named CodeMender has already provided 72 security fixes to established open source projects over the past six months.
Identifying and patching vulnerabilities is known to be a very difficult and time-consuming process, even using traditional automated methods such as fuzzing. Google DeepMind’s own research, including AI-based projects such as Big Sleep and OSS-Fuzz, has proven effective at discovering new zero-day vulnerabilities in well-audited code. However, this success creates new bottlenecks. As AI accelerates flaw detection, the burden on human developers to fix flaws increases.
CodeMender is designed to address this imbalance. It acts as an autonomous AI agent that takes a comprehensive approach to fixing code security. Its features both reactive features that allow you to instantly patch newly discovered vulnerabilities, and proactive features that allow you to rewrite existing code to eliminate an entire class of security flaws before they are exploited. This allows human developers and project managers to spend more time building features and improving software features.
The system works by leveraging the advanced inference capabilities of Google’s recent Gemini Deep Think model. This foundation allows agents to debug and solve complex security issues with high degree of autonomy. To achieve this, the system is equipped with a set of tools that allow you to analyze and infer the code before implementing changes. CodeMender also includes a validation process to ensure that the changes are correct and no new issues known as regression.
Large language models are rapidly advancing, but making mistakes in the security of your code can lead to significant damage. Therefore, the CodeMender automatic verification framework is essential. Systematically check that the proposed changes fix the root cause of the problem, are functionally correct, do not disrupt existing tests, and comply with the project’s coding style guidelines. Only high-quality patches that meet these strict standards will be published for human reviews.
To increase the effectiveness of code modifications, the DeepMind team has developed new technology for AI agents. CodeMender employs advanced programmatic analysis using a range of tools, including static and dynamic analysis, differential testing, fuzzing, and SMT solvers. These tools allow you to systematically scrutinize code patterns, control flows, and data flows to identify the underlying causes of security flaws and architectural weaknesses.
The system also uses a multi-agent architecture, with specialized agents deployed to address specific aspects of the issue. For example, using a dedicated large-scale language model-based critique tool reveals the difference between the original code and the modified code. This allows the primary agent to ensure that the proposed changes do not cause unintended side effects and self-correct their approach if necessary.
In one practical example, CodeMender addressed an vulnerability in which crash reports indicate heap buffer overflow. The final patch only required a few lines of code changes, but the root cause was not immediately clear. Using the debugger and code search tool, the agent determined that the real problem was a stack management issue for Extensible Markup Language (XML) elements that are being parsed elsewhere in the codebase. In another case, the agent devised a critical patch for complex object lifetime issues and modified the custom system for generating C code within the target project.
CodeMender is designed to not only address existing bugs, but also proactively enhance your software against future threats. The team deployed an agent to apply -fbounds-safety Annotations to some of the widely used image compression library libwebp. These annotations tell the compiler to add bounds checking to the code. This prevents attackers from exploiting buffer overflows to execute arbitrary code.
This effort is particularly relevant given that the libwebp heap buffer overflow vulnerability tracked as CVE-2023-4863 was used by threat actors in zero-click iOS exploits a few years ago. DeepMind points out that if these annotations were properly placed, that particular vulnerability would have been unexploitable along with most other buffer overflows in the annotated section.
Proactive code modification by AI agents involves sophisticated decision-making processes. Applying annotations allows you to automatically fix new compilation errors and automatically fix test failures caused by your own changes. If the validator detects that a change has corrupted the feature, the agent will self-correct based on the feedback and try another solution.
Despite these promising early results, Google DeepMind adopts a deliberate and planned deployment approach, focusing on reliability. Currently, all patches generated by CodeMender are reviewed by human researchers before being submitted to an open source project. The team is gradually increasing the number of posts to ensure high quality and systematically incorporate feedback from the open source community.
Looking ahead, researchers will provide CodeMender-generated patches to maintainers of important open source projects. By repeating community feedback, we hope to ultimately release CodeMender as a tool that is generally available to all software developers.
The DeepMind team will be publishing technical papers and reports in the coming months to share their techniques and results. This research will be the first step in exploring the possibilities of AI agents that proactively modify the code and fundamentally enhance software security for everyone.
See also: CAMIA privacy attack reveals AI model memories
Want to learn more about AI and big data from industry leaders? Check out the AI & Big Data Expo in Amsterdam, California and London. This comprehensive event is part of TechEx and will be hosted alongside other major technology events, such as the Cyber Security Expo. Click here for more information.
AI News is provided by TechForge Media. Find out more upcoming enterprise technology events and webinars here.
