AI finds thousands of zero-day exploits... including in FreeBSD.

[blackbird9]

Oh well, we shall have to see if re-writing everyting in Rust is the solution. I wonder how that's coming along?

 

[drhowarddrfine]

Claude turned me into a newt.

 

[OpenFreeNet]

Oh well, we shall have to see if re-writing everyting in Rust is the solution. I wonder how that's coming along?

A possible "dreaming scenario": important parts of FreeBSD like Jails and Capsicum will be checked and declared secure (more feasible than in Linux); then all the rest of services and applications will be built/adapted composing these parts. This will reduce a lot the escalation of security problems in non-safe code. A bad video will break ffmpeg output but not the system, and it will be self-sabotage...

The majority of secure systems (e.g. seL4, Google Fuchsia) use capabilities, so FreeBSD is well positioned in this regard.

Or maybe they can combine static source code analyzer (a sort of formal analysis) with AI. AI can automatize a lot the double checking of the many (too much) false warnings.

 

[Zare]

My .02$; Anthropic is spamming FUD all over the place, the handling of the new model is a clear proof. Check out their papers, those are not scientific papers, they literally write like they're in awe of the output. The progress curve is shrinking and just like OpenAI used to do, they will gaslight the audience.

"A flaw in OpenBSD's TCP SACK implementation dating back to 1999. A signed integer overflow allowing remote denial-of-service. The kind of bug that survived hundreds of reviews, dozens of major releases, thousands of pairs of eyes. Still there.

A defect in FFmpeg's H.264 decoder, 16 years old. A sentinel collision causing an out-of-bounds write. Automated tools never caught it. Not for lack of trying: 5 million fuzz tests. Zero results. Mythos found it by analyzing the code directly."

Although it doesn't say so, what would have impressed me would be if it only found ONE bug in openbsd... we don't know the full number, of course.

"The model chained multiple Linux kernel vulnerabilities to build a full privilege escalation path, defeating hardened protections: stack canaries, KASLR, W^X. Not an isolated flaw. A working attack chain.

On FreeBSD, Mythos autonomously identified and exploited a 17-year-old remote code execution vulnerability in the NFS service. Unauthenticated root access. Fully autonomous. No human steering.

And then there's this: against Firefox 147, the model successfully developed JavaScript shell exploits 181 times. Claude Opus 4.6, the previous best model? Twice."

This gist was written by LLM.
I wonder whether I would take its output more seriously if it didn't engage in that braindead style of writing, close to speaking style of a certain important country's president.

Again, Anthropic is trying to one up OpenAI by selling FUD directly to the major corporations. The fear-of-missing-out pattern OpenAI has used on individuals is dwindling down and Anthropic has retargeted the same approach towards major IT enterprises; now if you're a major software company, you might be missing out on not having Anthropic as "security partner", just like everyone here who wasn't using OpenAI for their projects has missed out on having "Artificial Intelligence" as their engineering sidekick.

As for the FreeBSD NFS exploit, nobody same would claim that stuff is secure. It is ancient code, hasn't been audited and refactored for secutiry as far as I know. It is not nice having a remote exploit in the base install, again, FreeBSD is ~35 years old and has never ever had a code freeze for a proper security audit, nor it can do that.