Google DeepMind has unveiled an AI-powered agent tool capable of automatically fixing critical software vulnerabilities.
Dubbed CodeMender, the agentic AI solution can apparently “instantly” patch new vulnerabilities in software updates and secure existing code.
While still in development, Google researchers said CodeMender had pushed some 72 security fixes for open source projects in the past six months. Details were light on the exact detail of those fixes, though the researchers said some were “as large as 4.5 million lines of code.”
In a blog post detailing CodeMender, Google DeepMind researchers Raluca-Ada Popa and John “Four” Flynn said the AI agent “helps developers and maintainers focus on what they do best – building good software.”
‘Special-purpose’ AI agents to solve security challenges
Software vulnerabilities are an inevitable part of our digital world, and the networking space is no exception.
Flaws in software could allow attackers to compromise network devices or crash them entirely, like the recent issues identified in Cisco’s IOS and IOS XE software. Botched code can even impact updates meant to improve services, like Cloudflare’s recent dashboard rework that saw the vendor ultimately DDoSing itself.
Unearthing vulnerabilities is particularly time-consuming and demanding for already-stretched IT teams. Google DeepMind engineers previously looked into using AI to unearth zero-day vulnerabilities through its Big Sleep and OSS-Fuzz projects.
Google’s researchers claim CodeMender can help security teams keep up.
According to Google, CodeMender leverages DeepMind’s Gemini Deep Think models to power an AI agent that it says is capable of reasoning before making changes, as well as automatically validating potential changes to ensure they’re correct and don’t cause regressions.
Google DeepMind contends that its automatic validation process “ensures that code changes are correct across many dimensions by only surfacing for human review high-quality patches that fix the root cause of the issue” to avoid potentially costly mistakes.
A company blog details: “CodeMender uses a large language model-based critique tool that highlights the differences between the original and modified code in order to verify that the proposed changes do not introduce regressions, and self-correct as needed.”
The Google DeepMind-developed AI offering still has some ways to go before being unleashed to the public, with engineers behind it ensuring they’re taking a “cautious approach.”
“Currently, all patches generated by CodeMender are reviewed by human researchers before they’re submitted upstream,” Popa and Flynn wrote. “Using CodeMender, we’ve already begun submitting patches to various critical open-source libraries, many of which have already been accepted and upstreamed. We’re gradually ramping up this process to ensure quality and systematically address feedback from the open-source community.”
CodeMender is the latest in a series of security-focused AI projects from Google researchers, as they look to create solutions to solve actual enterprise issues.
In September, the tech giant unveiled VaultGemma, a small-scale AI model its engineers claim is incapable of leaking its training data. The model utilizes a data preservation approach called differential privacy that effectively encrypts data during the training process to prevent the model from memorizing specific data points, while still allowing it to learn general patterns.
For all its focus on security, that didn’t stop one of Google’s recent AI offerings from being the subject of a major security flaw.
An issue with Gemini CLI AI, an open-source AI agent for command line terminals that had only launched in June, could have allowed hackers to execute arbitrary malicious code on a user’s machine without their knowledge.