'Project Naptime' Allows Google Engineers To Take A Nap, While The AI Goes To Work

Project Zero is a team of security analysts employed by Google, whose mission is to find zero-day vulnerabilities in software.

The team focuses on identifying and reporting security flaws to the respective vendors and ensuring these issues are addressed before they can be exploited by malicious actors. Works include vulnerability research in various products, and disclose them privately, in order to give the vendors time to patch the vulnerability.

The team at Project Zero has been making huge impact on security practices, thanks to their high-profile discoveries.

But due to their continuous work to help secure software, the team members are actually relentless.

And 'Project Naptime' is something they can use to deal with their human-side needs.

In a blog post, the team wrote that:

"At Project Zero, we constantly seek to expand the scope and effectiveness of our vulnerability research. Though much of our work still relies on traditional methods like manual source code audits and reverse engineering, we're always looking for new approaches."

And describing Naptime, the team wrote:

"Since mid 2023 we've been working on a framework for LLM assisted vulnerability research embodying these principles, with a particular focus on automating variant analysis. This project has been called "Naptime" because of the potential for allowing us to take regular naps while it helps us out with our jobs. Please don't tell our manager."

The idea is to enable Large Language Models (LLMs) to conduct their research in a way that closely mirrors the "iterative, hypothesis-driven approach" of human security professionals, they said.

The goal, is to be able to 'take a nap' while the AI solves their problems, for them.

The team started developing Naptime, after seeing improvements in code comprehension and the general reasoning ability of LLMs.

Based on the research gone by Meta researchers, which includes new LLM benchmarks for discovering and exploiting memory safety issues, the team at Project Zero "have been exploring how these models can reproduce the systematic approach of a human security researcher when identifying and demonstrating security vulnerabilities."

"We find that, by refining the testing methodology to take advantage of modern LLM capabilities, significantly better performance in vulnerability discovery can be achieved."

“This architecture not only enhances the agent’s ability to identify and analyze vulnerabilities but also ensures that the results are accurate and reproducible,” Project Zero analysts Sergei Glazunov and Mark Brand wrote.

"While modelling a human workflow is not necessarily an optimal way for an LLM to solve a task, it provides a soundness check for the approach, and allows for the possibility of collecting a comparative baseline in the future."

At this time, the researchers concluded that when "provided with the right tools," current LLMs can really start to perform rather basic vulnerability research, which is a good start.

The researchers hope that soon, using AI can help automate security works, enabling automated detection of "unfuzzable" vulnerabilities.

Published:

27/06/2024