Analyzing the Exploitability of Open Source Applications with AI
Updated: Mar 22
Introduction
As the world moves toward artificial intelligence (AI) powered by natural language processing and deep learning technologies, there has been a growing need for efficient and accurate approaches to summarizing and automating the discovery of exploits within source code. Fortunately, the recent explosion of Natural Language Processing (NLP) technologies has made it possible to leverage the General Processor Text (GPT) approach to quickly and accurately summarize the exploitability of source code.
In this article, we will first discuss the GPT approach to summarizing the exploitability of C/C++ functions. We will then compare this approach to manual exploit analysis, highlighting its accuracy and scalability. Finally, we will discuss the limitations of GPT and provide recommendations for its use in
production applications.
What is GPT? GPT is a collection of neural network models designed to quickly and accurately summarize the underlying text. It was developed by OpenAI, a research laboratory founded in 2015 with the goal of researching and designing artificial general intelligence (AGI). In 2017, the OpenAI GPT model achieved state-of-the-art accuracy on the open-source Penn Treebank dataset without any human intervention. The model is built upon a deep learning architecture called a Transformer, which consists of multiple layers of self-attention networks. The Transformer model offers superior accuracy compared to other approaches, such as recurrent neural networks (RNNs).
GPT is designed to be both fast and highly accurate. By leveraging the power of deep learning, GPT is able to quickly process large amounts of input data, including text-based code, and identify patterns amongst the data. It can then generate a brief, structured summary of the underlying code — in this case, a summary describing how a function in C/C++ may be susceptible to attack.
Exploit Analysis vs GPT
When it comes to analyzing the exploitability of functions written in C/C++, manual analysis is the traditional approach. It requires someone to evaluate the code in detail, identify potential weaknesses, and assess the exploitability of the function. While manual analysis is accurate, it is also slow and requires significant developer experience.
GPT, on the other hand, is significantly faster and is capable of analyzing large codebases in a smaller duration of time. Although not perfect, it can act as a "compass" and guide offensive security researchers to interesting areas to target within applications.
Example of C/C++ Function Analysis Using the GPT within PWN Framework
The following is an example snippet of code leveraging the PWN security automation framework that will break up a C++ file into an array of functions and ask GPT to summarize how each function can be exploited:
#!/usr/bin/env ruby
require 'pwn'
token = 'TOKEN'
src = File.read('target.cpp')
begin
response = PWN::Plugins::OpenAI.chat(
token: token,
request: "Given this block of code: ```#{src}``` how is it vulnerable to attack?",
temp: 1.0
)
rescue JSON::ParserError => e
puts 'Source Code File is too large...breaking it up into blocks.'
end
# Aggregate function blocks into an array
blocks = src.scan(/(^.+\([^\)]*(?:\n[^\)]*)*\)\s\{([\s\S]*?)(^\}$)+)/)
blocks.each do |bytes_matched|
begin
block = bytes_matched.first
response = PWN::Plugins::OpenAI.chat(
token: token,
request: "Given this block of code: ```#{block}``` how is it vulnerable to attack?",
temp: 1.0
)
puts "#{response[:choices].first[:text].chop}:\n\n"
puts '```'
puts block
puts '```'
puts "\n\n\n"
sleep 3
rescue JSON::ParserError => e
puts e
next
end
endThe following are responses that can be expected as a result of running the script above:
This block of code is not vulnerable to attack, as it does not contain any user input or external code that could be manipulated by an attacker.
This block of code is vulnerable to attack because it does not properly validate user input. It is possible for an attacker to inject malicious code into the authentication database name, which could be used to gain access to the system.
This block of code is vulnerable to attack because it is using plaintext passwords and not using any form of encryption. This means that if an attacker were to gain access to the passwords, they could easily read and use them to gain access to the system.
This code is vulnerable to attack because it does not check the authentication type before sending the authentication request. If an attacker is able to modify the authentication type, they could potentially send an authentication request with a malicious payload.
For more information around PWN, check it out here:
Limitations of GPT
Despite its accuracy and scalability, there are certain limitations to the GPT approach. For one, GPT is limited in its ability to identify the intent of the code. As a result, it cannot identify complex exploit scenarios or account for unexpected system behaviour. Additionally, GPT is limited in its ability to generalize from a single example, making it difficult to summarize the exploitability of functions written in unfamiliar languages.
Conclusion
GPT is a powerful and accurate approach to summarizing the exploitability of C/C++ functions. Compared to manual analysis, GPT is faster and more scalable, allowing organizations to quickly assess the security of open source software projects. However, GPT is limited in its ability to identify the intent of the code and generalize across unfamiliar programming languages. As such, it should be used in conjunction with manual analysis and other techniques to ensure accurate and scalable exploit analysis.
Lastly, it's important to note - this should not be attempted on private source code repositories, as this will result in unauthorized code disclosure (since you'd ultimately be sending it up through GPT to analyze).
Comentarios