Vitalik Buterin argued that formal code verification techniques aided by artificial intelligence (AI) represent an answer to the problems that AI itself poses to cybersecurity, and that this process can produce software that is more secure than software written by humans without mathematical underpinnings.
Buterin’s paper, published today, May 18, on his personal blog, appears to be a direct response to those who argue that AI will facilitate the automatic detection of vulnerabilities, making it impossible to trust code without relying on large organizations.
According to Ethereum’s co-founder, this is a temporary issue, not a structural one. He said that the equilibrium state he was aiming for was as follows. “It was more advantageous for defenders than before.”
Suggestion: 2 objects, 1 test
Buterin’s central argument is that formal verification (mathematical proof that a program does exactly what it promises) can be verified automatically.
According to his approach, AI models can be coded in low-level assembly language that is optimized for speed, and at the same time Generate a mathematical proof that proves equivalence to the human-readable version. The result is two separate objects. One is optimized for efficiency and the other is optimized for understanding and unified by verifiable evidence. Buterin said users can validate their tests once and then run a quick version without having to audit the code internally.
Within this framework, Buterin mentioned active projects within the Ethereum ecosystem that apply this approach.
- evm-asm: A formally verified implementation of the Ethereum Virtual Machine (EVM) written directly in assembly code (the language closest to the hardware without the need for a middle layer).
- arcrib: A system aimed at building a verified implementation of STARK, a type of zero-knowledge (ZK) proof, a cryptographic mechanism that allows you to prove the correctness of a computation without exposing the data.
- Similar efforts on consensus algorithms Byzantine fault tolerant. Errors in human-written tests have already caused documented problems.
According to Buterin, the strength of this approach lies in the fact that it is verified. Cover your system end-to-endThis eliminates categories of errors that occur at the interfaces between subsystems.
Vitalik Buterin recognizes the challenges of his proposal
However, his own Buterin recognized the limitations of his approach. Formal verification does not prove that the software is “correct” in the user’s sense of the term. It simply proves that the code supports the mathematical properties that the developer chooses to specify.
If these properties are incomplete or the developer did not specify important points, The test passes, the failure remains. It also does not cover hardware behavior such as power analysis side-channel attacks that expose private keys by observing physical patterns outside the code.
As reported by CriptoNoticias, Buterin said in a previous article that when programming with AI, “Perfect security is impossible.”However, he estimates that in many specific cases, it is possible to verify specific statements that eliminate more than 99% of the negative consequences of failure.
Case to feed to the opposite side
Last May, the Google Threat Intelligence Group (GTIG) reported what was the first documented case of a “zero-day” vulnerability (a flaw for which no patch is available at the time of use). Developed with AI assistanceas reported by CriptoNoticias.
According to Google, the exploit allows open-source systems management tools to bypass two-step verification, and clues in the code point to language model involvement.
In February, decentralized finance protocol Moonwell recorded a loss of $1.7 million after an AI-generated smart contract caused the price of its cbETH assets to drop to $1.12, compared to the actual market price of more than $2,200. This difference allowed fraudulently valued collateral to be exploited before the team detected an anomaly.
According to analysts, Bug passed full human review before implementationplacing responsibility not only on the model but also on the supervisory process.
Charles Guillemet, chief technology officer at Ledger, recently warned: AI “breaks down barriers to entry” For the attacker. With their approach, converting differences between two versions of a binary into a feature exploit (a process that previously required days of specialized work) can now be completed in hours, even though most users have not yet installed the corresponding patch.
The positions of Mr. Buterin and Mr. Guilmet point out that: Different diagnoses for the same phenomenon: The first argues that formal validation turns AI into a clear tool for defenders. Second, AI is reducing attack costs faster than the industry can keep up with.
(Tag translation) Ethereum (ETH)
