LLM Agents can Autonomously Exploit One-day Vulnerabilities

🌈 Abstract

The article discusses the ability of large language model (LLM) agents to autonomously exploit one-day vulnerabilities in real-world systems. The key points are:

• The authors collected a benchmark of 15 real-world one-day vulnerabilities from the CVE database and academic papers.
• They created an LLM agent using GPT-4 that can exploit 87% of these vulnerabilities, while other LLMs and open-source vulnerability scanners achieve 0% success.
• The GPT-4 agent requires the CVE description to achieve high performance - without it, the success rate drops to 7%.
• The authors analyze the capabilities of the GPT-4 agent, finding that it can handle complex multi-step exploits and even non-web vulnerabilities.
• The results raise questions about the widespread deployment of highly capable LLM agents in cybersecurity.

🙋 Q&A

[01] Background on Computer Security and LLM Agents

1. What are some common types of computer security vulnerabilities that can be exploited by attackers? The article discusses several types of vulnerabilities that can be exploited, including:

• Unprotected SQL injections
• Remote code execution vulnerabilities
• Vulnerabilities that allow attackers to gain root access to a server
• Vulnerabilities that enable data exfiltration

2. What is the Common Vulnerabilities and Exposures (CVE) database, and how is it used? The CVE database is a repository of publicly disclosed computer security vulnerabilities. When real-world vulnerabilities are found, they are disclosed to the provider of the software and then released to the CVE database. This allows security researchers to study the vulnerabilities.

3. What are the key capabilities of LLM agents described in the article? The article discusses several key capabilities of LLM agents, including:

• Using tools and reacting to tool outputs
• Planning and creating subagents
• Reading documents
• Performing complex software engineering and scientific tasks

[02] Benchmark of Real-World Vulnerabilities

1. What criteria did the authors use to select the vulnerabilities for their benchmark? The authors focused on open-source vulnerabilities that were reproducible in a sandboxed environment. They excluded closed-source vulnerabilities and those with irreproducible details.

2. What types of vulnerabilities are included in the benchmark? The benchmark includes vulnerabilities in websites, container management software, and vulnerable Python packages. Over half of the vulnerabilities are categorized as "high" or "critical" severity.

3. How many of the vulnerabilities were past the knowledge cutoff date for the GPT-4 model used in the experiments? 11 out of the 15 vulnerabilities were past the knowledge cutoff date for the GPT-4 model.

[03] Agent Description

1. What are the key components of the LLM agent described in the paper? The agent consists of a base LLM (primarily GPT-4), a prompt, the ReAct agent framework, and access to various tools (web browsing, terminal, web search, file manipulation, code interpreter).

2. How simple is the implementation of the agent? The agent is implemented in only 91 lines of code, showing its simplicity.

3. What limitations does the agent have, and how might they be addressed? The agent does not currently implement subagents or a separate planning module, which the authors suggest could improve its performance.

[04] LLM Agents can Autonomously Exploit One-Day Vulnerabilities

1. What are the key findings regarding the success rates of different models in exploiting the vulnerabilities? GPT-4 achieves an 87% success rate in exploiting the vulnerabilities, while every other model (GPT-3.5, open-source LLMs) and open-source vulnerability scanners achieve 0% success.

2. How does the agent's performance change when the CVE description is removed? Without the CVE description, the agent's success rate drops from 87% to 7%, suggesting that finding the vulnerability is much more challenging than exploiting it.

3. What insights does the cost analysis provide about the potential benefits of using LLM agents for vulnerability exploitation? The cost analysis suggests that using the LLM agent is 2.8 times cheaper than using human labor for vulnerability exploitation, and the agent is also more scalable.

[05] Understanding Agent Capabilities

1. What insights does the article provide about the complexity of the exploits the agent can perform? The article shows that the agent can handle exploits that require a large number of steps, complex navigation of websites, and even non-web vulnerabilities in Python packages.

2. What limitations does the agent have in terms of its ability to try different attack vectors? Without the ability to launch subagents, the agent tends to focus on a single type of attack (e.g., SQL injection) rather than trying different approaches.

3. How does the agent's performance on the ACIDRain vulnerability demonstrate its capabilities? The ACIDRain exploit requires a multi-step process of navigating the website, extracting information, writing custom code, and executing the exploit. The agent is able to autonomously perform these steps.

</output_format>