Google’s DeepMind artificial intelligence research lab this week unveiled an AI agent designed to autonomously find and fix vulnerabilities.
Google has several projects focusing on the use of AI for the discovery of vulnerabilities in software. The tech giant recently reported that its Big Sleep agent discovered a critical SQLite vulnerability and thwarted efforts to exploit it in the wild.
Its latest product is CodeMender, an AI agent that not only finds security holes but also patches them. The company argues that such tools are needed because as AI gets better at discovering flaws, it will be difficult for humans to keep up with patching.
Related: CISO Conversations: John ‘Four’ Flynn, VP of Security and Privacy at Google DeepMind
Deepmind says CodeMender, which leverages Gemini DeepThink models, is capable of rewriting and securing existing code in order to eliminate entire classes of security bugs to prevent future exploits.
CodeMender includes checks designed to ensure that the changes it makes do not cause regressions or other issues.
The AI agent can reason about code — understanding and predicting the behavior of a program without actually running it — and effectively validate changes through the use of advanced program analysis and multi-agent systems.
Advanced program analysis includes static and dynamic analysis, fuzzing, differential testing, and SMT solvers to identify the root cause of vulnerabilities and architectural weaknesses.
As for multi-agent systems, DeepMind explained, “We developed special-purpose agents that enable CodeMender to tackle specific aspects of an underlying problem. For example, CodeMender uses a large language model-based critique tool that highlights the differences between the original and modified code in order to verify that the proposed changes do not introduce regressions, and self-correct as needed.”
Over the past six months, CodeMender has provided 72 security fixes to open source projects, some of which have millions of lines of code. However, DeepMind says it’s being cautious and all patches are reviewed before being submitted.
Related: Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Results
Related: California Gov. Gavin Newsom Signs Bill Creating AI Safety Measures
