A New Breed of Analysers
a day ago
- #security
- #AI
- #curl
- curl is a large project with 180,000 lines of C89 code, comparable in size to 'War and Peace'.
- The project has a long history, starting in 1996, and supports 28 URL schemes, over 100 operating systems, and nearly 30 CPU architectures.
- Over 270 releases have been shipped, with more than 12,500 documented bugfixes and contributions from over 1,400 humans.
- AI-powered tools like Google Big Sleep and ZeroPath have identified security vulnerabilities in curl, marking a shift in issue detection.
- A significant number of high-quality bug reports were submitted by researchers using AI tools, leading to numerous fixes.
- AI tools scan all source code without requiring a build, enabling them to find issues in rarely tested code paths.
- Examples of issues found include incorrect function documentation, protocol non-compliance, and memory leaks.
- The use of AI in code analysis is seen as an evolutionary step, not a revolution, but it raises ethical questions about code ingestion.
- curl was part of the AIxCC competition at DEF CON 33, where AI tools searched for vulnerabilities.
- Future plans include integrating AI-powered analyzers into CI setups, though current tools like GitHub Copilot are not yet up to par.