Re: (the root of the root and the bud of the bud)

[Darren Bounds via Dailydave <dailydave () lists aitelfoundation org>]

Everything old is new and the way we reason is the same way LLMs reason. It's
not about looking for the same problem the same way it's about going to 
searching for that flaw the same way with unlimited (nearly) resources.

Traditional human-led vulnerability research and discovery is, today, a short
lived venture.

Things will change very rapidly over the coming 24 months.  





On Sat, Jan 11, 2025 at 3:22 PM Dave Aitel via Dailydave <
dailydave () lists aitelfoundation org>  wrote:
Memories and thoughts are the same thing, someone tried to explain to me
recently. You have to think to remember, in other words. This is hard to grasp
for a lot of people because they think they have memories. They wrongly think
memory is a noun instead of a verb, which is ok in philosophy and psychology but
in cutting edge computer science we have to be precise about these sorts of
things.
Twenty-five years ago, when I first started writing fuzzers, a full quarter
century, people thought it was an absolutely stupid thing to do. The smart
people were using their giant brains to do static analysis. They were tainting
and sinking. They were reading the code and finding flaws. They did threat
models. They did not write glorified for loops that made different amounts of
A's go into different RPC functions. But I had the hubris of a teenage hacker,
and I thought it was fun. More fun, perhaps, than reading code.
In 2025, fuzzing is part of the software development lifecycle for any
organization rich enough to call a hyperscale datacenter home. It is a sine qua
non  for secure software. Fuzzing, we now understand, is reasoning. And if you
can't reason over your code, you can't secure it.
Part of the value is that fuzzing echoes machine learning in that it scales
nicely with the amount of CPU you could use. And there's no false positives when
you measure whether an input crashes a program - it either does or it does not.
There are downsides of course - many inputs may cause the same crash. Fuzzing
identifies a flaw exists, but it doesn't tell you what the flaw actually is. And
fuzzing often finds enough flaws that development teams become overwhelmed with
triage. And of course, fuzzing can often be too dumb to reach the important
bugs, since it is exploring the space of possible inputs semi-randomly, even
with coverage guided analysis.
We (as a community) tried to correct these things with SMT solvers, or smarter
fuzzers. But now we have a new tool: LLMs, which reason in a very different way.
But still they reason.
Admittedly, there are many disbelievers. "LLMs just repeat what they are trained
on" and taken to an extreme that's true but that's also true for any of us. In
practice, they reason perfectly well. And not too long from now, maybe a couple
years at most, any organization that is not using them widely for security
engineering is left behind the curve - the same way teams not using fuzzers are
today.Memories and thoughts are, in essence, the same thing because both require
the act of reasoning. In computer science, fuzzing and LLMs are tools that
embody this principle. They don't passively store knowledge - they actively
explore, test, and refine it.

When I first started fuzzing, it was dismissed as a foolish endeavor because it
didn’t look like traditional reasoning. Now, it’s indispensable. LLMs are on a
similar path: misunderstood by some, but already reshaping how we approach
security.

Just as fuzzing forced us to rethink what reasoning over code looks like, LLMs
are forcing us to rethink reasoning itself. In both cases, the act - not the
object - is what matters. They are the root of the root and the bud of the bud -
the foundation of what comes next. And if you don’t carry this forward, you risk
being left behind in a world that’s growing beyond you. 

-dave
_______________________________________________ Dailydave mailing list --
dailydave () lists aitelfoundation org To unsubscribe send an email to
dailydave-leave () lists aitelfoundation org 


Thank you,
Darren Bounds

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org