Google’s Project Zero, a team of security analysts, has introduced a new framework aimed at improving automated vulnerability research using large language models.
Project Naptijd uses AI to replicate the systematic methods used by human security researchers to take some of the pressure off the already strained workforce.
The initiative gets its name from its potential to allow human workers to “take regular naps” while AI performs complex vulnerability research tasks.
Google reveals details of Project Naptime
Sergei Glazunov and Mark Brand of Google Project Zero noted: “Naptime uses a specialized architecture to improve an LLM’s ability to conduct vulnerability research.”
Key components of the Naptime architecture include a Code Browser Tool that allows the AI agent to navigate the target codebase, similar to how engineers use Chromium Code Search; a Python Tool that allows running Python scripts in a sandbox environment, a Debugger Tool that observes program behavior with various inputs; and a Reporter Tool that monitors task progress and verifies success conditions.
Glazunov and Brand added: “Naptime enables an LLM to conduct vulnerability research that closely aligns with the iterative, hypothesis-driven approach of human security experts.”
In tests with the CyberSecEval 2 benchmark suite, released by rival tech company Meta, Naptime demonstrated significant improvements in identifying buffer overflow and advanced memory corruption errors in C and C++ code.
Although Google’s Project Naptime is still in its early stages, it is an important step forward in automated vulnerability research. It can potentially help close the gaps left by traditional methods while addressing the ongoing skills shortage.