- CodeMender automatically generates AI-reviewed security patches for open source projects
- Google DeepMind says CodeMender reduces vulnerability workloads through code validation
- DeepMind plans wider developer release once CodeMender’s reliability is confirmed
Google DeepMind has revealed CodeMender, an artificial intelligence agent it says can automatically detect and fix software vulnerabilities before they are exploited by hackers.
Google’s AI research arm says the new tool can secure open source projects by generating patches which can be applied once they’ve been reviewed by human researchers.
CodeMender builds on DeepMind’s Gemini Deep Think model and uses multiple analysis tools, including fuzzing, static analysis, and differential testing, to identify root causes of bugs and prevent regressions.
Helping not replacing humans
Raluca Ada Popa, senior staff research scientist at DeepMind, and John “Four” Flynn, its vice president of security, said the system had already delivered dozens of fixes.
“Over the past six months that we’ve been building CodeMender, we have already upstreamed 72 security fixes to open source projects, including some as large as 4.5 million lines of code,” Popa and Flynn wrote in a DeepMind blog post.
The company says CodeMender can act both reactively and proactively, repairing discovered flaws and rewriting code to remove classes of vulnerabilities entirely.
The system should ultimately be able to reduce the security maintenance workload by validating its own patches before sending them for human review.
The review step is something that Google is keen to stress, noting CodeMender isn’t there to replace humans, but rather to act as a helpful agent and expand the increasing volume of vulnerabilities that automated systems can detect.
In one case, the team says CodeMender automatically applied -fbounds-safety annotations to parts of the libwebp image compression library, a step DeepMind claims would have prevented past exploits.
The annotations force the compiler to check buffer boundaries, lowering the risk of overflow-based attacks.
The developers also acknowledge the growing use of AI by malicious actors and argue that defenders need equivalent tools.
DeepMind plans to expand testing with open source maintainers and, once its reliability is properly proven, hopes to release CodeMender for wider developer use.
Google has also revised its Secure AI Framework and launched a new Vulnerability Reward Program for AI-related flaws.
You might also like
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
