Comment by uhx
8 days ago
> Checking if a real vulnerability can be triggered is a trivial task compared to finding one
Have you ever tried to write PoC for any CVE?
This statement is wrong. Sometimes bug may exist but be impossible to trigger/exploit. So it is not trivial at all.
Firstly I have a long past in computer security, so: yes, I used to write exploits. Second, the vulnerability verification does not need being able to exploit, but triggering an ASAN assert. With memory corruption that's very simple often times and enough to verify the bug is real.
Thank you for clarification. It actually helped: at first I was overcomplicating it in my head.
After thinking about it for an hour I came up with this:
LLM claims that there is a bug. We dont know whether it really exist. We run a second LLM that is capable to write unit-tests/reproducer (dont have to be E2E, shorter data flow -> bigger success rate for LLM), compile program and run the test for ASAN assert. ASAN error means proven bug. No error, as you said, does not prove anything, because it may simply mean LLM failed to write a correct test.
Still don't know how much $ it would cost for LLM reasoning, but this technically should work much better than manually investigating everything.
Sorry for "have-you-ever" thing :)
I'm tickled at the idea of asking antirez [1] if he's ever written a PoC for a CVE.
[1] https://en.wikipedia.org/wiki/Salvatore_Sanfilippo
I actually like when that happens. Like when people "correct" me about how reddit works. I appreciate that we still focus on the content and not who is saying it.
That's not really what happened on this thread. Someone said something sensible and banal about vulnerability research, then someone else said do-you-even-lift-bro, and got shown up.
1 reply →
This happens over and over in these discussions. It doesn't matter who you're citing or who's talking. People are terrified and are reacting to news reflexively.
Hi! Loved your recent post about the new era of computer security, thanks.
1 reply →
Personally, I’m tired of exaggerated claims and hype peddlers.
Edit: Frankly, accusing perceived opponents of being too afraid to see the truth is poor argumentative practice, and practically never true.
Sure he wrote a port scanner that obscures the IP address of the scanner, but does he know anything about security? /s
Oh, and he wrote Redis. No biggie.
That's both wholly different branches than finding software bugs
I'm not GP, but I've written multiple PoCs for vulns. I agree with GP. Finding a vuln is often very hard. Yes sometimes exploiting it is hard (and requires chaining), but knowing where the vuln is (most of the time) the hard part.
Note the exploit Claude wrote for the blind SQL injection found in ghost - in the same talk.
https://youtu.be/1sd26pWhfmg?is=XLJX9gg0Zm1BKl_5
oh no. Antirez doesn't know anything about C, CVE's, networking, the linux kernel. Wonder where that leaves most of us.