Security testing firm Code Intelligence has announced the release of CI Spark, a new large language model (LLM) powered solution for software security testing. CI Spark makes use of LLMs to automatically identify attack surfaces and to suggest test code, leveraging generative AI’s code analysis and generation capabilities to automate the generation of fuzz tests, which are central to AI-powered white-box testing, according to Code Intelligence.
CI Spark was first tested as part of a collaboration with Google’s OSS-Fuzz, a project that aims to continuously ensure the security of open-source projects through continuous fuzz testing.
Cybersecurity impact of emerging generative AI, LLMs
The rapid emergence of generative AI and LLMs has been one of the biggest stories of the year, with the potential impact of generative AI chatbots and LLMs on cybersecurity a key area of discussion. These new technologies have generated a lot of chatter about the security risks they could introduce – from concerns about sharing sensitive business information with advanced self-learning algorithms to malicious actors using them to significantly enhance attacks.
However, generative AI chatbots/LLMs can also enhance cybersecurity for businesses in multiple ways, giving security teams a much-needed boost in the fight against cybercriminal activity. As a result, many security vendors have been incorporating the technology to improve the effectiveness and capabilities of their offerings.
Today, the UK’s House of Lords Communications and Digital Committee opens its inquiry into LLMs with evidence from leading figures in the AI sector including Ian Hogarth, chair of the government’s AI Foundation Model Taskforce. The Committee will assess LLMs and what needs to happen over the next three years to ensure the UK can respond to the opportunities and risks they introduce.
Solution automates generation of fuzz tests in JavaScript/TypeScript, Java, C/C++
Feedback-based fuzzing – a testing approach that leverages genetic algorithms to iteratively improve test cases based on code coverage as a guiding metric – is one of the main technologies behind AI-powered white-box testing, Code Intelligence wrote in a blog post. However, this requires human expertise to identify entry points and manually develop a test. So, developing a sufficient suite of tests can often take days or weeks, according to the company. The manual effort involved presents a non-trivial barrier to broad adoption of AI-enhanced white-box testing.
CI Spark leverages generative AI’s code analysis and generation capabilities to automate the generation of fuzz tests in JavaScript/TypeScript, Java, and C/C++, Code Intelligence said. “We have created an extensive set of prompts that guide LLMs to identify security-critical functions and generate high-quality fuzz tests. The prompts give instructions on how to generate tests that optimally make use of our underlying fuzzing engines,” the company stated.
They also provide the insights necessary for CI Spark to create tests that achieve maximum code coverage, while CI Spark also offers an interactive mode that allows users to quickly interact with it to correct any false positives that slip through and improve the quality of the generated tests.
According to Code Intelligence, CI Spark can:
- Automatically identify fuzzing candidates, providing a list of public functions/methods that can be used as entry points for fuzz tests.
- Automatically generate tests that create a fuzz test for a selected candidate. The interactive mode enables giving tips to the AI to improve the quality of the generated test and fix any errors.
- Improve existing tests to increase code coverage.
- Leverage existing unit tests to generate high-quality fuzz tests that call the candidate API as hints to CI Spark. These provide valuable examples of the correct usage of the API in the tests and results in better fuzz tests.
The results from using CI Spark are encouraging and demonstrate the potential of leveraging generative AI, Code Intelligence said. However, the company is still working on improvements. The next items on the firm’s road map include a plug-and-play system for different LLMs, model fine-tuning for better results, automatic validation of fuzz tests, static analysis for candidate selections, identification of inadequately tested APIs, and multi-language support.