The claim that Mythos found its "flagship" BSD bug because the upstream Kerberos bug/patch from 2007 is in the training set is very interesting.
-
The claim that Mythos found its "flagship" BSD bug because the upstream Kerberos bug/patch from 2007 is in the training set is very interesting. It significantly weakens the novel discovery claim, but makes me wonder about the implications for how transformers evaluate input weights and whether this could be extracted and leveraged as a variant hunting technique.
Or maybe you could just straight grep for the vulnerable code block from every patch ever and see what falls out. That may also be embarrassingly effective.
-
The claim that Mythos found its "flagship" BSD bug because the upstream Kerberos bug/patch from 2007 is in the training set is very interesting. It significantly weakens the novel discovery claim, but makes me wonder about the implications for how transformers evaluate input weights and whether this could be extracted and leveraged as a variant hunting technique.
Or maybe you could just straight grep for the vulnerable code block from every patch ever and see what falls out. That may also be embarrassingly effective.
@lapt0r LLMs are great librarians but the mythos thing is a larp by amodei. still LLMs are gigantic security threat only because of slopware. -
The claim that Mythos found its "flagship" BSD bug because the upstream Kerberos bug/patch from 2007 is in the training set is very interesting. It significantly weakens the novel discovery claim, but makes me wonder about the implications for how transformers evaluate input weights and whether this could be extracted and leveraged as a variant hunting technique.
Or maybe you could just straight grep for the vulnerable code block from every patch ever and see what falls out. That may also be embarrassingly effective.
@cigitalgem @lapt0r the back to back Linux LPEs might be coloring my view but I think there’s a lot of potential in that idea of looking for the same pattern elsewhere, especially for the major projects which people often copy-paste from or where package management was historically hard enough to encourage copying code you weren’t going to carefully track upstream (C, PHP, etc.)
-
@cigitalgem @lapt0r the back to back Linux LPEs might be coloring my view but I think there’s a lot of potential in that idea of looking for the same pattern elsewhere, especially for the major projects which people often copy-paste from or where package management was historically hard enough to encourage copying code you weren’t going to carefully track upstream (C, PHP, etc.)
@acdha @cigitalgem variant hunting is a time honored security research tradition and tools for doing it at scale have never been better (and will continue to improve)
-
R relay@relay.infosec.exchange shared this topic
