Art of finding zero day vulnerabilities using Open Source AI
I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas and AI security engineer at Cisco,previously hunted on the Microsoft Bug Bounty Program and Google VRP
I am sharing this article for security awareness and educational purposes only and I am sharing only personal opinions and none of these are related to my work at Cisco.
In this article I am gonna share how I used an Opensource AI model finetuned for finding vulnerabilities called codeastra-7B to idenify zero day vulnerabilities in various opensource project such as apache pulsar , apache airflow , apache cocoon , tensorflow , imagemagik etc and how to build a framwork which combines both static analysis tools such as semgrep and AI agents built on top of opensource models such as CodeAstra-7B to find 0 day and n day vulnerabilities efficiently.
Finding CVE-2023–51437 Timing attack in Apache Pulsar
In the above example! I entered code snippet from Apache Pulsar Project which is vulnerable to CVE-2023–51437 into CodeAstra Model as input and CodeAstra Model has successfully identified vulnerability
In general! Most of Static Analysis tools which uses rule based engine struggle to find timing based vulnerabilities
Finding CVE-2022–45135 SQL injection attack in Apache cooccon Project
In the above example! I entered code snippet vulnerble to SQL injection from Apache Cocoon Project into CodeAstra Model as input and CodeAstra Model has successfully identified vulnerability
Finding CVE-2024–27317 File overwrite vulnerability in Apache Pulsar Project
In the above example! I entered code snippet vulnerble to File overwrite from Apache Pulsar Project into CodeAstra Model as input and CodeAstra Model has identified potential attack surface even though it did not identified exact vulnerability
finding CVE-2021–45229 XSS Vulnerability in Apache Air Flow Project
In the above example! I entered code snippet vulnerble to XSS from Apache Airflow Project into CodeAstra Model as input and CodeAstra Model has identified XSS vulnerability successfully.
finding CVE-2021–37678 Insecure deserialization of yaml leading to RCE in tensorflow Project
In the above example! I entered code snippet vulnerble to Insecure deserialization of yaml from Tensorflow Project into CodeAstra Model as input and CodeAstra Model has identified vulnerabilty sucessfully
Finding CVE-2019–17541 heap buffer overflow vulnerability in Imagemagick library
In the above example! I entered code snippet vulnerble to Heap Buffer overflow into CodeAstra Model as input and CodeAstra Model has identified vulnerabilty sucessfully
Finding CVE-2021–43350 LDAP injection in Apache Trafficops
In the above example! I entered go code snippet vulnerble to LDAP injection into CodeAstra Model as input and CodeAstra Model has identified vulnerabilty sucessfully
Observations and Analysis
CodeAstra-7B model was able to find common vulnerabilities such as SQL Injection , XSS etc easily compared to business logic vulnerabilities when I am prompting it using single shot prompting.
When I am using few shot prompts it tend to find vulnerability with more accuracy compared to single shot prompting
Note: In case if you are using GPT-4 or any LLM for finding vulnerabilities always use few shot prompting with examples for more accuracy
Comparing with Semgrep and other static analysis tools
Semgrep and other static analysis uses some rule based engines to detect the vulnerable patterns. They will be super fast in detection of common vulnerabilities which occurs known code patterns but it will not able to detect the timing based vulnerabilities , otp bypass kind of bussiness logic vulnerabilities. To find business logic vulnerabilities such as OTP bypass , privilege escalation , IDOR etc we need to understand the context of the code. So an AI model can easily understand this code and find business logic vulnerabilities but they will be slower compared to rule engine based static analysis tools
Why Opensource AI model when GPT4 do the code review better ?
most of companies have a policy which does not allow employees to send the sensitive information such as Source Code etc to third pary APIs of the companies hosting closed AI model unless they have some partnership with them such as OpenAI Enterprise Subscription where they don’t train the ML models with user data. In this case we need an Open Source AI model which can be deployed in the our environment which we control.
How to build an tool which can find vulnerabilities with more efficiency using static analysis tools and AI model.
We need to use both static analysis tools to find common pattern based vulnerabilties , low hanging bugs , hardcoded credentials etc and LLM agents based on codeastra to understand the code and find complicated bugs which need context about code implementation such as OTP bypass , privilege escalation , timing related vulnerabilites etc this will help security folks to reduce the attack surface and identify n day vulnerabilties faster in software which has larger code base in less than fews hours.
LLMs are basically really good at identifying potentials attack surfaces in the code and humans can corelate the report and potential attack surfaces to find vulnerability which might have missed the by AI and patch them quickly.
CodeAstra Demo: https://huggingface.co/spaces/rootxhacker/CodeAstra-7B-demo
CodeAstra huggingface repository: https://huggingface.co/rootxhacker/CodeAstra-7B
Follow me on twitter: https://twitter.com/CoderHarish
Follow me on linkedin :https://www.linkedin.com/in/harish-santhanalakshmi-ganesan-31ba96171/
