Finding real world software vulnerabilities using ChatGPT
The rapid integration of artificial intelligence (AI) into cybersecurity has introduced revolutionary tools for vulnerability assessments, where AI's pattern recognition capabilities and natural language processing can potentially help in cybersecurity detection and remediation strategies. This...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
Nanyang Technological University
2024
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/175328 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-175328 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1753282024-04-26T15:44:23Z Finding real world software vulnerabilities using ChatGPT Wong, Sean Chun Foh Liu Yang School of Computer Science and Engineering yangliu@ntu.edu.sg Computer and Information Science Cybersecurity Chatgpt Large language model Generative AI Vulnerability Artificial intelligence Software vulnerabilities YAML Source code vulnerabilities The rapid integration of artificial intelligence (AI) into cybersecurity has introduced revolutionary tools for vulnerability assessments, where AI's pattern recognition capabilities and natural language processing can potentially help in cybersecurity detection and remediation strategies. This paper explores the potential between AI and cybersecurity through the lens of a YAML-based ChatGPT agent named MasterEngineer, devised to automate the highlighting of software vulnerabilities and offer learning insights into their nature and resolution of the vulnerable code. The research is directed towards examining the effectiveness of MasterEngineer in assessing source code vulnerabilities across various languages and decompiled C code, juxtaposed with traditional static and dynamic analysis tools. Employing a robust dataset, including the SecurityEval Dataset covering a diverse array of MITRE Common Weakness Enumerations (CWEs) and reverse engineering challenges from Capture The Flag (CTF) events, the study conducts a few experiments to measure the agent's performance in identifying, annotating, and mitigating real-world vulnerabilities. The agent's outcomes are compared against the established tools SonarQube for static analysis and the reverse engineering utilities IDA Free and Ghidra, highlighting MasterEngineer's potential capabilities in instances where traditional tools may falter, or augment the use of traditional tools. MasterEngineer's approach underscores its dual functionality: as a detection tool and as an instructional guide that fosters a deeper understanding of vulnerabilities through the generation of Proof of Concepts (PoCs) and suggestions of remediation recommendations. This helps position the agent as an asset for practitioners and novices to cybersecurity, offering a better learning experience that extends from theoretical to practical cybersecurity. Despite the promises shown, the work recognizes its limitations, including the coverage of vulnerability types and languages, constraints posed by tool capabilities, and the research scope defined by the datasets. These limitations suggest avenues for future research such as expanding the dataset scope, developing plugins for enhanced reverse engineering interoperability, and exploring AI-driven automation with security tools' APIs. This study contributes to the evolving dynamic between AI and cybersecurity, presenting MasterEngineer as a prime example of how AI can be harnessed to enrich vulnerability analysis and education, thus setting a benchmark for future endeavors in the cybersecurity AI landscape. Bachelor's degree 2024-04-23T11:05:37Z 2024-04-23T11:05:37Z 2024 Final Year Project (FYP) Wong, S. C. F. (2024). Finding real world software vulnerabilities using ChatGPT. Final Year Project (FYP), Nanyang Technological University, Singapore. https://hdl.handle.net/10356/175328 https://hdl.handle.net/10356/175328 en SCSE23-0678 application/pdf Nanyang Technological University |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Computer and Information Science Cybersecurity Chatgpt Large language model Generative AI Vulnerability Artificial intelligence Software vulnerabilities YAML Source code vulnerabilities |
| spellingShingle |
Computer and Information Science Cybersecurity Chatgpt Large language model Generative AI Vulnerability Artificial intelligence Software vulnerabilities YAML Source code vulnerabilities Wong, Sean Chun Foh Finding real world software vulnerabilities using ChatGPT |
| description |
The rapid integration of artificial intelligence (AI) into cybersecurity has introduced revolutionary tools for vulnerability assessments, where AI's pattern recognition capabilities and natural language processing can potentially help in cybersecurity detection and remediation strategies. This paper explores the potential between AI and cybersecurity through the lens of a YAML-based ChatGPT agent named MasterEngineer, devised to automate the highlighting of software vulnerabilities and offer learning insights into their nature and resolution of the vulnerable code. The research is directed towards examining the effectiveness of MasterEngineer in assessing source code vulnerabilities across various languages and decompiled C code, juxtaposed with traditional static and dynamic analysis tools.
Employing a robust dataset, including the SecurityEval Dataset covering a diverse array of MITRE Common Weakness Enumerations (CWEs) and reverse engineering challenges from Capture The Flag (CTF) events, the study conducts a few experiments to measure the agent's performance in identifying, annotating, and mitigating real-world vulnerabilities. The agent's outcomes are compared against the established tools SonarQube for static analysis and the reverse engineering utilities IDA Free and Ghidra, highlighting MasterEngineer's potential capabilities in instances where traditional tools may falter, or augment the use of traditional tools.
MasterEngineer's approach underscores its dual functionality: as a detection tool and as an instructional guide that fosters a deeper understanding of vulnerabilities through the generation of Proof of Concepts (PoCs) and suggestions of remediation recommendations. This helps position the agent as an asset for practitioners and novices to cybersecurity, offering a better learning experience that extends from theoretical to practical cybersecurity.
Despite the promises shown, the work recognizes its limitations, including the coverage of vulnerability types and languages, constraints posed by tool capabilities, and the research scope defined by the datasets. These limitations suggest avenues for future research such as expanding the dataset scope, developing plugins for enhanced reverse engineering interoperability, and exploring AI-driven automation with security tools' APIs.
This study contributes to the evolving dynamic between AI and cybersecurity, presenting MasterEngineer as a prime example of how AI can be harnessed to enrich vulnerability analysis and education, thus setting a benchmark for future endeavors in the cybersecurity AI landscape. |
| author2 |
Liu Yang |
| author_facet |
Liu Yang Wong, Sean Chun Foh |
| format |
Final Year Project |
| author |
Wong, Sean Chun Foh |
| author_sort |
Wong, Sean Chun Foh |
| title |
Finding real world software vulnerabilities using ChatGPT |
| title_short |
Finding real world software vulnerabilities using ChatGPT |
| title_full |
Finding real world software vulnerabilities using ChatGPT |
| title_fullStr |
Finding real world software vulnerabilities using ChatGPT |
| title_full_unstemmed |
Finding real world software vulnerabilities using ChatGPT |
| title_sort |
finding real world software vulnerabilities using chatgpt |
| publisher |
Nanyang Technological University |
| publishDate |
2024 |
| url |
https://hdl.handle.net/10356/175328 |
| _version_ |
1800916261678350336 |