Google DeepMind has developed a new AI tool called CodeMender that helps find and fix security issues in software. Over the past six months, it has submitted 72 patches to open source projects, some with millions of lines of code. The goal is to make software safer without relying only on human developers.

What is CodeMender and How Does It Work?

CodeMender uses advanced AI models called Gemini Deep Think to act as an autonomous fixer for security bugs. It can analyze code, identify vulnerabilities, and make changes to fix them. The system doesn’t just guess; it reasons about the code before making updates and then automatically checks that those fixes work correctly. This helps prevent new bugs or regressions from slipping in.

The tool relies on a mix of techniques. It uses static analysis to examine code without running it, dynamic analysis to see how code behaves during execution, and differential testing to compare changes. Fuzzing, which involves testing code with lots of random inputs, helps find hidden bugs. SMT solvers are also used to systematically analyze code patterns, control flow, and data flow to uncover root causes of security issues.

CodeMender also employs multiple specialized agents working together. For example, one agent based on large language models reviews the proposed changes and highlights differences between the original and modified code. This review step ensures that only high-quality patches—those that fix the real problem, don’t cause new issues, and follow coding style—are sent for human review.

Reactive and Proactive Security Approaches

The AI tool handles security both reactively and proactively. Reactively, it quickly patches newly discovered vulnerabilities. Proactively, it rewrites parts of code to prevent entire classes of bugs from happening in the first place.

A recent example of proactive use was on libwebp, a popular image compression library. Google DeepMind applied special annotations called -fbounds-safety, which add checks to prevent buffer overflows. Buffer overflows are common vulnerabilities that can be exploited for malicious attacks. By adding these safety checks, CodeMender effectively made it much harder for attackers to exploit a known buffer overflow bug in libwebp, identified as CVE-2023-4863. This bug was used in a zero-click exploit targeting iOS devices, so fixing it helps protect many users.

Current Limitations and Future Plans

Despite promising early results, Google DeepMind emphasizes caution. All patches created by CodeMender are reviewed by human security researchers before being shared publicly or integrated into projects. This step ensures the fixes are reliable and don’t introduce new problems.

Already, the company has submitted patches to several critical open-source libraries, and many have been accepted and merged into their main codebases. As the system proves itself, Google DeepMind plans to expand its use and gradually reach out to maintainers of important projects. They want to make CodeMender widely available so developers everywhere can benefit from its security improvements.

Looking ahead, Google DeepMind intends to publish detailed technical papers on how CodeMender works and the results it achieves. The company hopes that, over time, this AI tool will become a standard part of software development, helping teams stay ahead of evolving security threats with less manual effort.

In summary, CodeMender represents a significant step forward in AI-powered security. It combines sophisticated reasoning, multiple analysis techniques, and careful validation to help keep software safer. While still in early stages, its potential to transform how developers handle vulnerabilities is clear.

Inspired by

• https://www.csoonline.com/article/4068774/google-deepmind-launches-an-ai-agent-to-fix-code-vulnerabilities-automatically.html

Sources

• gmpg.org
• citizenlab.ca
• podigee.com
• podigee.com