I continue to work on PwnScan, a tool that combines traditional static analysis and AI to find vulnerabilities in binaries. I recently added support for integer overflow bugs.
A binary static analysis tool that identifies vulnerabilities.
Right now, still just focused on buffer overflows. It can find some known CVEs and I’ve made several reliability improvements over the past month or so.
I think I’m going to expand to additional vulnerability types soon.
Solving the false positive problem is like solving the halting problem. I don’t think we get to a world where static analysis tools don’t have them, AI or otherwise.
That said, I have found LLMs can find bugs in binaries. It’s not all false positives, as far as I can tell. I have a side project I’ve been working on that does just this (shameless plug): PwnScan.com. It’s currently free and focused on binaries.
The bad news is that you quickly get into a situation where you have too many false positives where it’s sometimes not feasible to sort through them all.
It's definitely not like solving the halting problem. A solution 100% exists. You are it. If human intelligence can be realized in physical reality by an actual human brain, then it is provably realizable.
Few things in science exist as a north star in such abundance. We KNOW it can be built. Other futuristic things like interstellar travel... we don't actually know.
I think it maps perfectly onto the halting problem: just say one of the requirements of your program is halting. Humans can decide whether a program halts in a lot of cases, including more-or-less all of the programs we're likely to encounter. But for the overwhelming majority of possible programs, we can't figure it out.
A useful bug detector doesn't need to overcome this because it would be detecting bugs in the kind of code we write, but there is no bug detector which gives the correct answer for all inputs.
I don’t think you realize how universal the halting problem is in the universe.
Like the law governs everything that exists in the universe so it governs humans as well.
If a human can know that a program halts it also means the program is provably haltable. If a human doesn’t know whether a program will halt it likely means that the program is not provably haltable.
The halting problem refers to a general algorithm that can prove any program will halt.
My current side project is a vulnerability scanner for binaries. I do VR in my day job, so im trying to figure out how useful (or not) AI is for this domain.
Jury is still out. Getting false positives and negatives, but I can find some known CVEs!
This has been my experience when using Zepbound, one of the new-ish weight loss drugs. Since I am not hungry all the time or having strong cravings, I think much more carefully about what I eat and how much. “I can only eat this much, so I better eat something with protein/fiber.” Before I would not feel sated until I gave into a craving.
Downside though is that sometimes I end up “wanting to want.” Like, having a date night with the wife, social gatherings with food, or just the occasional indulgence.
Feel free to reach out: uniform_solar.9i@icloud.com