èƵ

Hackers are using AI to find software bugs – but there is a downside

Artificial intelligence models similar to ChatGPT are able to identify errors in computer code, letting people claim rewards for finding them - but others are using the same tools to report bugs that don't actually exist
Some bugs are easier to find than others
alengo/Getty Images

Ethical hackers are using artificial intelligence tools to find bugs in computer code and claim rewards worth thousands of dollars. However, others are using the same AI tools to generate realistic but nonsensical bug reports, making it hard to know which reports to trust.

Bug bounty schemes offer financial rewards for people who can find flaws in software. These schemes have been used in cybersecurity for decades to encourage people to report problems so programmers can shore up security, both in established tech companies, like Microsoft or Google, and for freely available software.

at Nanyang Technological University in Singapore and his colleagues have developed several tools that use large language models (LLMs) like GPT-4, the technology that powers ChatGPT, to find and fix security flaws in smart contracts, which are digital agreements stored on blockchains, such as the Ethereum network.

These contracts relate to things like house purchases or agreements on how crowdfunding campaigns should spend raised funds, and are automatically carried out according to set rules and conditions written in code. If there are errors or loopholes in this code, hackers can exploit them to take the money detailed in the agreement.

One tool that Liu and his team developed, called , found nine vulnerabilities in smart contracts that people had missed. Another tool, called , can generate smart contract code according to written specifications, as well as check the contracts for errors. When Liu and his colleagues used PropertyGPT to check existing smart contracts on the platform Certora, they found 12 bugs that they submitted to a bounty programme to claim a reward of $8256.

Liu and his team are now working on building a more advanced bug-checking tool. “Our general methods are not only applicable to smart contracts, but actually we can use them to find vulnerabilities in other programming languages,” says Liu.

Liu and his team aren’t the only ones working on uncovering bugs. Other ethical hackers have also started integrating publicly available AIs into their toolkits, says at HackerOne, a cybersecurity company that helps software companies run bug bounty schemes.

Sherrets, who also looks for bugs in his spare time, says he has seen hackers using customised tools built by modifying OpenAI’s ChatGPT. These AIs can both scan for vulnerabilities in chunks of code and help with testing a system’s cyber defences, such as generating lists of words to send to a system that might reveal a security flaw.

They are also useful to help write and communicate the bugs’ severity and impact to developers, says Sherrets, which can be a hard task for programmers who are immersed in the technical details but may struggle with written reports. “I think that’s going to be tremendously helpful,” he says.

However, the convincing language generated by LLMs can also present problems. , who created and helps manage cURL, a tool used by thousands of programmers to fetch data from web addresses, has seen an increase in reports that initially look like genuine security flaws but are actually nonsense, seemingly generated by AI.

“I have not seen one [AI-generated report] yet that actually identified a real problem,” says Stenberg. “They’re all hallucinations, more or less.”

The reports take time to look through and aren’t easy to identify as being generated by an AI at first glance, he says. “It’s not just a simple, single line where the human is saying something is wrong here,” he says. “No, you’ll get 200 lines, including different screenshots and everything from the AI.”

The better the AI reports get, while still being wrong, the more work they end up creating, says Stenberg. “I’m a little bit scared about it.”

Sherrets agrees that this could be a nuisance, although he says a way around this could be to have publicly rated profiles of hackers who submit reports on platforms like , which would discourage people from submitting bogus reports. “I’m pretty optimistic that the industry-at-large will have really good ways of finding additional vulnerabilities and directing people somewhere they can submit them,” he says.

Topics: Software