Finding real world software vulnerabilities using ChatGPT

Abstract

The rapid integration of artificial intelligence (AI) into cybersecurity has introduced revolutionary tools for vulnerability assessments, where AI's pattern recognition capabilities and natural language processing can potentially help in cybersecurity detection and remediation strategies. This paper explores the potential between AI and cybersecurity through the lens of a YAML-based ChatGPT agent named MasterEngineer, devised to automate the highlighting of software vulnerabilities and offer learning insights into their nature and resolution of the vulnerable code. The research is directed towards examining the effectiveness of MasterEngineer in assessing source code vulnerabilities across various languages and decompiled C code, juxtaposed with traditional static and dynamic analysis tools.

Employing a robust dataset, including the SecurityEval Dataset covering a diverse array of MITRE Common Weakness Enumerations (CWEs) and reverse engineering challenges from Capture The Flag (CTF) events, the study conducts a few experiments to measure the agent's performance in identifying, annotating, and mitigating real-world vulnerabilities. The agent's outcomes are compared against the established tools SonarQube for static analysis and the reverse engineering utilities IDA Free and Ghidra, highlighting MasterEngineer's potential capabilities in instances where traditional tools may falter, or augment the use of traditional tools.

MasterEngineer's approach underscores its dual functionality: as a detection tool and as an instructional guide that fosters a deeper understanding of vulnerabilities through the generation of Proof of Concepts (PoCs) and suggestions of remediation recommendations. This helps position the agent as an asset for practitioners and novices to cybersecurity, offering a better learning experience that extends from theoretical to practical cybersecurity.

Despite the promises shown, the work recognizes its limitations, including the coverage of vulnerability types and languages, constraints posed by tool capabilities, and the research scope defined by the datasets. These limitations suggest avenues for future research such as expanding the dataset scope, developing plugins for enhanced reverse engineering interoperability, and exploring AI-driven automation with security tools' APIs.

This study contributes to the evolving dynamic between AI and cybersecurity, presenting MasterEngineer as a prime example of how AI can be harnessed to enrich vulnerability analysis and education, thus setting a benchmark for future endeavors in the cybersecurity AI landscape.