AI, Processor Advances Will Improve Application Security
Applications may soon become more secure as code written by artificial intelligence (AI) platforms finds its way onto next-generation secure processors.
Matt Jarvis, director of developer relations for Snyk, told attendees at the CloudNative SecurityCon North America conference today that AI platforms used to write code will not use the same high-level programming languages that humans rely on. As such, there will be fewer coding mistakes for cybercriminals to exploit when, for example, libraries are assembled to create an application.
Machines using lower-level programming languages eliminate the need to rely on libraries that are often rife with vulnerabilities, he noted.
At the same time, the platforms used to host those applications are becoming more secure. The University of Cambridge, for example, is working with SRI International on a Capability Hardware Enhanced RISC Instructions (CHERI) project that enables fine-grained memory protection and highly scalable software compartmentalization. That approach will prevent vulnerabilities in applications written in C and C++—that are currently not memory-safe—from being exploited.
Arm has become the first processor manufacturer to ship a CHERI-enabled Morello prototype processor, system-on-a-chip (SoC) and board; others are expected to follow suit. Microsoft has already signaled its interest in CHERI because it deterministically mitigates vulnerability classes—rather than giving a high probability of detecting them—to eliminate the need to depend on secrets to secure IT environments.
The vast majority of security vulnerabilities can be traced back to an issue involving how memory is accessed by an application. Cybercriminals then exploit those vulnerabilities to launch an attack that, for example, takes advantage of a buffer overflow to access data. Developers are transitioning to memory-safe languages such as Rust, Go, C#, Java, Swift, Python and/or JavaScript to eliminate many of these vulnerabilities. At the same time, the maintainers of Linux are starting to embrace Rust as an alternative to C to eliminate these types of vulnerabilities from the Linux kernel.
It’s not clear whether developers are abandoning older programming languages in favor of memory-safe languages, but replacing trillions of lines of already-built code that use a variety of legacy languages may not be feasible. Addressing the issue at the instruction set level could resolve a major cybersecurity issue.
It may be a while before improvements to code in development coupled with inherently more secure platforms materially improves the state of cybersecurity. However, it’s apparent advances are being made that mitigate years-old mistakes that were made before developers routinely considered the cybersecurity implications of the ways code was constructed and run.
In the meantime, cybersecurity teams should expect to see the same AI platforms used to improve code also used to launch more sophisticated cyberattacks in the months ahead. As is the case with any tool, AI could be used for both good and nefarious purposes. The challenge is finding ways to thwart cyberattacks generated via AI platforms while waiting for other AI advances to provide some long overdue relief.
