← Back to context

Comment by Tiberium

16 hours ago

Do you think with modern LLMs in a few years projects like Linux will have all those low-hanging security bugs fixed? Are we witnessing a transition period, or will nothing change?

7 comments

Tiberium

Reply
tetha  6 hours ago

Out of this dataset of 2-3 vulnerabilities, I'm noticing a pattern: All of those are in older and/or niche kernel modules. That raises two thoughts:

Maybe the more regularly used kernel code has a lot of low-hanging security topics shaken out of it already.

And second, I'm indeed wondering what a good path to minimize the loadable kernel code is on a system looks like. My container hosts for example have a fairly well defined set of requirements, and IPSec certainly is not in there. So why not block everything solely made to support IPSec? I'm sure there is more than that.

After all, the most reliable way to higher security is to do less things.

spartanatreyu  9 hours ago

LLMs don't matter, linux's codebase has been growing much faster than it can be secured so this is all inevitable.

Transitioning components to rust eliminates certain categories of bugs leaving the rest of the bugs to be dealt with.

We'd likely end up needing another language with stronger type and effect systems to eliminate more categories of bugs. Probably something which enforces linear types, capabilities, units of measure types, and effects.

And you'd have to update linux itself to switch to capabilities.

staticassertion  16 hours ago

New vulns are introduced to Linux every day. Fuzzers trigger every single day on Linux. No, nothing will improve here from AI.

  • alex_duf  15 hours ago

    there's an argument to be made that new code will be inspected before being merged and therefore the classes of bugs an LLM is likely to find will not be merged until it's fixed.

  • Muromec  15 hours ago

    There is a finite number of bugs and betters tools that find them mean there is less bugs in the code.

    • staticassertion  15 hours ago

      We already find bugs constantly in Linux and they go unaddressed, no one even keeps up with syzkaller reports lol

      AI is neat because it's higher signal but yeah no, we're not getting anywhere close to "safe linux", AI or not.