"Google says its AI-powered security repair tool CodeMender has been helping secure open source projects through automated patch creation, subject to human approval. The Chocolate Factory is already convinced that its AI-driven fuzzing tool, OSS-Fuzz, can find software vulnerabilities that humans miss. CodeMender closes the loop by proposing fixes for flawed code. CodeMender is based on the company's Gemini Deep Think model."
"According to Raluca Ada Popa, senior staff research scientist at Google's DeepMind, and John "Four" Flynn, VP of security at DeepMind, the AI-based agent can identify the root cause of a vulnerability and can generate and review an appropriate patch before final human sign off. "Over the past six months that we've been building CodeMender, we have already upstreamed 72 security fixes to open source projects, including some as large as 4.5 million lines of code," wrote Popa and Flynn in a blog post."
"CodeMender is described as an agent because it's not simply a large language model (e.g. Gemini). It has access to a variety of tools for tasks like static analysis, dynamic analysis, differential testing, fuzzing, and SMT analysis. These allow the agentic system to assess the underlying root cause of the vulnerability and to verify the proposed patch so it doesn't introduce regressions."
CodeMender is an AI-powered security repair agent built on the Gemini Deep Think model that proposes fixes for flawed open-source code. The agent can identify root causes of vulnerabilities and generate and review appropriate patches before final human sign-off. Over six months, CodeMender upstreamed 72 security fixes to open-source projects, including codebases as large as 4.5 million lines. CodeMender complements fuzzing tools like OSS-Fuzz by closing the loop from vulnerability discovery to remediation. The agent integrates tools for static and dynamic analysis, differential testing, fuzzing, and SMT analysis to verify patches and avoid regressions. CodeMender also rewrites code to use more secure data structures.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]