AI Augments Finding Vulnerabilities, Not Replaces

April 7, 2025 AM (Last Modified: April 7, 2025 AM)

Through a combination of static code analysis tools (such as CodeQL), fuzzing the GRUB2 emulator (grub-emu) with AFL++, manual code analysis, and using Microsoft Security Copilot, we have uncovered several vulnerabilities. … Copilot identified multiple security issues, which we refined further by requesting Copilot to identify and provide the five most pressing of these issues. In our manual review of the five identified issues, we found three were false positives, one was not exploitable, and the remaining issue, which warranted our attention and further investigation, was an integer overflow vulnerability.

I do feel like this article reflects my own experience with AI programming. Reading it as AI replaces code scanning is a misnomer. AI generated so many false positives they had to prompt Copilot for the ‘most pressing issues’. This in addition to continuing to use static analysis tools and fuzzing. File under, understanding how code work is still critical.

_{Quote Citation: Microsoft Threat Intelligence, “Analyzing open-source bootloaders: Finding vulnerabilities faster with AI”, March 31, 2025, https://www.microsoft.com/en-us/security/blog/2025/03/31/analyzing-open-source-bootloaders-finding-vulnerabilities-faster-with-ai/}