Google DeepMind's CodeMender: AI Agent Revolutionizes Software Security

Google DeepMind minds the patch with AI flaw-fixing scheme

CodeMender has been generating fixes for vulnerabilities in open source projects Google says its AI-powered security repair tool CodeMender has been helping secure open source projects through automated patch creation, subject to human approval. The Chocolate Factory is already convinced that its AI-driven fuzzing tool, OSS-Fuzz, can find software vulnerabilities that humans miss. CodeMender closes the loop by proposing fixes for flawed code. CodeMender is based on the company's Gemini Deep Think model. According to Raluca Ada Popa, senior staff research scientist at Google's DeepMind, and John "Four" Flynn, VP of security at DeepMind, the AI-based agent can identify the root cause of a vulnerability and can generate and review an appropriate patch before final human sign off. "Over the past six months that we've been building CodeMender, we have already upstreamed 72 security fixes to open source projects, including some as large as 4.5 million lines of code," wrote Popa and Flynn in a blog post. Other AI bug hunting systems have also demonstrated that they can help repair vulnerabilities when wielded by knowledgeable security practitioners. Google's AI folk argue that attackers are already using AI models to help them craft attacks, so it's necessary for defenders to arm themselves similarly. CodeMender is described as an agent because it's not simply a large language model (e.g. Gemini). It has access to a variety of tools for tasks like static analysis, dynamic analysis, differential testing, fuzzing, and SMT analysis. These allow the agentic system to assess the underlying root cause of the vulnerability and to verify the proposed patch so it doesn't introduce regressions. Popa and Flynn say that CodeMender has proven useful not only for fixing vulnerabilities, but also for rewriting existing code to use more secure data structures as a proactive form of defense. They point to how CodeMender was used to apply annotations to portions of an image compression library called . The annotations tell the compiler to add a bounds check to the code, which prevents the exploitation of buffer overflow or underflow conditions. Had these been in place two years ago when a heap buffer overflow vulnerability in (CVE-2023-4863) was abused, iOS users would not have been affected by the zero-click exploit, DeepMind claims. The DeepMinders say that while CodeMender's early results show promise, the system's patches are all being vetted by humans for the sake of reliability. They hope at some point to release CodeMender to the general public. Google has also launched a dedicated AI Vulnerability Reward Program (VRP) that revises and clarifies the rules related to AI bugs that were issued under its Abuse VRP in 2023. AI issues reported under the Abuse VRP have led to payouts totalling more than $430,000 to date. The top award under the AI VRP is $20,000. In addition, the search biz has updated its Secure AI Framework to SAIF 2.0, with new details on the risks posed by AI agents. Google's SAIF 2.0 guidelines for AI agents recall sci-fi author Isaac Asimov's three laws of robotics: "agents must have well-defined human controllers, their powers must be carefully limited, and their actions and planning must be observable." Expect that advice to be ignored with the same enthusiasm that put robocars on US streets. ®

Google DeepMind introduces new AI agent for code security

Using advanced AI to fix critical software vulnerabilities Today, we're sharing early results from our research on CodeMender, a new AI-powered agent that improves code security automatically. Software vulnerabilities are notoriously difficult and time-consuming for developers to find and fix, even with traditional, automated methods like fuzzing. Our AI-based efforts like Big Sleep and OSS-Fuzz have demonstrated AI's ability to find new zero-day vulnerabilities in well-tested software. As we achieve more breakthroughs in AI-powered vulnerability discovery, it will become increasingly difficult for humans alone to keep up. CodeMender helps solve this problem by taking a comprehensive approach to code security that's both reactive, instantly patching new vulnerabilities, and proactive, rewriting and securing existing code and eliminating entire classes of vulnerabilities in the process. Over the past six months that we've been building CodeMender, we have already upstreamed 72 security fixes to open source projects, including some as large as 4.5 million lines of code. By automatically creating and applying high-quality security patches, CodeMender's AI-powered agent helps developers and maintainers focus on what they do best -- building good software. CodeMender operates by leveraging the thinking capabilities of recent Gemini Deep Think models to produce an autonomous agent capable of debugging and fixing complex vulnerabilities. To do this, the CodeMender agent is equipped with robust tools that let it reason about code before making changes, and automatically validate those changes to make sure they're correct and don't cause regressions.

Google DeepMind unveils CodeMender, an AI agent that autonomously patches software vulnerabilities - SiliconANGLE

Google DeepMind unveils CodeMender, an AI agent that autonomously patches software vulnerabilities Alphabet Inc.'s Google DeepMind lab today shared results for CodeMender, an artificial intelligence-powered agent that automatically detects, patches and rewrites vulnerable code to prevent future exploits. CodeMember builds on DeepMind's previous AI-based vulnerability discovery projects such as Big Sleep and OSS-Fuzz, by combining the reasoning power of Gemini Deep Think models with advanced program analysis techniques. The aim is to debug and repair complex security flaws autonomously across massive codebases. While still only in a research phase, CodeMender has already submitted 72 security fixes to open-source projects, including those spanning more than 4.5 million lines of code. According to DeepMind, CodeMender's AI-powered agent helps developers and maintainers focus on what they do best -- building good software -- by automatically creating and applying high-quality security patches. CodeMender is designed to be both reactive and proactive by instantly patching discovered vulnerabilities and also rewriting existing code to eliminate entire classes of flaws. In one example, the agent applied "-fbounds-safety" annotations to the libwebp image compression library, the same library exploited in a 2023 zero-click iOS attack. In doing so, it rendered similar buffer overflow vulnerabilities "unexploitable forever," according to DeepMind researchers. Under the hood, CodeMender uses a suite of tools including static and dynamic analysis, fuzzing, symbolic reasoning and an "LLM judge" that validates whether proposed changes preserve functionality. The system can self-correct automatically before surfacing its final patch for human review when the validation detects an issue and all changes are verified for correctness, adherence to style guidelines and lack of regressions before submission. DeepMind notes that CodeMender remains a research effort and that "all patches generated by CodeMender are reviewed by human researchers before they're submitted upstream." The DeepMind team plans to expand outreach to open-source maintainers and "hopes to release CodeMender as a tool that can be used by all software developers to keep their codebases secure," with technical papers detailing the agent's architecture and validation pipeline to follow. If and when it's released, CodeMember stands in contrast to traditional methods like static analysis and fuzzing that can surface vulnerabilities but still rely heavily on human expertise to validate and repair them. CodeMender's approach points toward a future where AI systems can handle discovery and remediation, which is arguably a critical step as modern codebases grow exponentially in size and complexity.

Google DeepMind's CodeMender Can Now Fix Security Bugs Automatically

DeepMind said CodeMender is not available to the public at this time Google DeepMind, on Monday, introduced CodeMender, an artificial intelligence (AI) agent designed to automatically detect and fix security vulnerabilities in software code. The AI system can not only identify bugs but also suggest and verify patches, eliminating the need for manual intervention. This means developers can hand over the reins to CodeMender, and it will not require further input. DeepMind highlights that the AI agent is capable of working both reactively by repairing existing security flaws and proactively by rewriting parts of code to prevent future vulnerabilities. Google DeepMind's New AI Agent Can Tackle Security Flaws in Code The company says that fixing vulnerabilities in software is one of the most time-consuming and difficult tasks using traditional means. AI systems have also not been a great help in this area, since it requires understanding the logic and context of thousands of lines of code and detecting a wide range of flaws. Since these are not software-crashing bugs, deployment-based tests are also not useful here. CodeMender, the company claims, is capable of understanding the logic and structure of complex software. It analyses source code, identifies weak points that could lead to potential exploits, and generates secure fixes. After a patch is proposed, the AI agent tests it to ensure that the vulnerability is resolved and no new issues are added. DeepMind's system also self-corrects if a patch fails verification, iterating until the change meets security and functionality standards. It can work both reactively and proactively, and the latter is useful to create defences against potential risks. DeepMind claims that CodeMender can rewrite code to follow safer programming practices, allowing developers to address entire classes of vulnerabilities before they can cause harm. Highlighting its real-world efficiency, the company claimed that the AI agent was able to find 72 verified security patches across major open-source software in a six-month trial period. It was able to suggest fixes for memory mismanagement, buffer overflows, and unsafe data handling. DeepMind claims some of these projects were as large as 4.5 million lines of code. CodeMender is currently a research project, and isn't available to the general public. Currently, every patch generated by the AI agent is reviewed by human researchers before they are submitted upstream. The techniques used for this system and the results from the trials will be published in technical papers and reports in the coming months.