the truth about ChatGPT generated code

Поділитися
Вставка
  • Опубліковано 21 гру 2024

КОМЕНТАРІ • 788

  • @LowLevelTV
    @LowLevelTV  Рік тому +603

    If you're commenting that you need to prompt ChatGPT to write secure code, and it doesn't do it by default, you've entirely missed the point 😁

    • @PhilipBarton
      @PhilipBarton Рік тому +102

      Yes, but have you tried ChatGPT 10.0 where recent software engineering grads were paid $15/hr to ensure it was only trained on code they believed to be secure? Oh, and also spending as much time writing your prompt as you would have just writing the code?

    • @Naitry
      @Naitry Рік тому +26

      Yea this just honestly seems really short sighted...

    • @Little-bird-told-me
      @Little-bird-told-me Рік тому +1

      Are you using i3 window manager ? I am looking to transition to a good distro. Please suggest your distro of choice. i guess you are using debian based distro but. I don't which flavour

    • @monad_tcp
      @monad_tcp Рік тому +21

      You just need to ask it to not use a vulnerable language like C

    • @Isaacrl67
      @Isaacrl67 Рік тому +13

      I was hoping this would have been GPT-4, but it said you used the free version which is still on GPT-3.5. OpenAI brags that GPT-4 is much better at writing code. You can also just ask it to continue for cut-off outputs. With GPT 4, you can just send a single whitespace character to it, and it will see it cutoff and continue. GPT-3.5 needs to be told 'Continue from "last bit of code it output' or similar to get it to finish up.
      I have a prompt I use when asking GPT to code that sets up some guidelines for behavior. It also has it use a name, but that's mostly so you can tell when GPT has forgotten the beginning of the conversation. GPT's context window requires the removal of old messages from it's view to remain under the token limit. So, when ChatGPT stops saying 'CodePup', it likely forgot the prompt.
      Prompt:
      Assistant:creates software;is expert in programming, documentation, security, and implementing best practices;asks questions until confident to engineer software to user specification;will not require users to provide code;will deliver complete and functional applications based on client requests;will provide source code in multiple messages;will pause and ask user to say 'next' before continuing split files;will use markdown in all messages;will always produce the project code, no matter how long it is;relies on SOLID and DRY code principles.
      ~~~
      Assistant will begin each message with "CodePup 3.0:"
      ~~~
      Initiate the conversation by saying "CodePup 3.0: Ready!"

  • @nicknewaccount7536
    @nicknewaccount7536 Рік тому +772

    in conclusion: if AI takes programmers' jobs, they can at least still make it big in malware development

    • @timewalker6654
      @timewalker6654 11 місяців тому +48

      That has always been my back-up plan.

    • @jtrigoura1
      @jtrigoura1 9 місяців тому +4

      LMFAAOOO BASED

    • @hedwig7s
      @hedwig7s 8 місяців тому +3

      For now

    • @5d4a5
      @5d4a5 6 місяців тому +1

      As a AI language model, I have been trained to not create potentially harmful applications.

    • @baraka629
      @baraka629 6 місяців тому +2

      It won't "take" programmers jobs because just having a piece of code in your hand that an AI spat out won't suddenly give you the skills to integrate it with the other modules that might be running, or debug potential problems, or even tell if it works or not.
      AI will improve programmers' productivity, not take their jobs.

  • @throwaway3227
    @throwaway3227 Рік тому +673

    The first one was not a memory corruption error. It correctly limits the buffer write with the length parameter, not accidentally. The fact that it's bad code, and easy to implement security issues in the future, does not make it a security issue now. It does have a path traversal vulnerability, though.

    • @savagesarethebest7251
      @savagesarethebest7251 Рік тому +15

      Exactly

    • @RandomGeometryDashStuff
      @RandomGeometryDashStuff Рік тому +14

      doesn't `sscanf` need first argument to be pointer to first character of *\0 TERMINATED* string?

    • @throwaway3227
      @throwaway3227 Рік тому +18

      That's a good point. I would assume that the \0 on either of the first and second parameter would terminate the sscanf, but the case where the second string isn't terminated is interesting. You would have to control another part of the memory to use it, but if you skip the "HTTP/1.1" part of the message, then it would read a lot further. I feel that this would be extremely hard to exploit. You would need to control another part of memory not too far away. If you could manage to not crash on the sscanf, though, you could have an information leak on the write. The sscanf is very problematic, since it likely would read from the same memory region it's writing to, so if it doesn't find a \0 before it starts to read from filename, it will just read forever. I don't think this would be exploitable, but this comes down to the assembly code.

    • @melonenlord2723
      @melonenlord2723 Рік тому +45

      But he wanted to win the challenge, so he needed future issues xD

    • @Kooshipuff
      @Kooshipuff Рік тому +45

      This. Plus, there's a super obvious path injection vulnerability- you could just send it any absolute path and download files from the server that weren't intended to be exposed. There's no need to make up hypothetical vulns.

  • @shanehanna
    @shanehanna Рік тому +491

    The model got 'lucky'? I think your bias might be leaking a bit. I asked GPT-4 using the same prompt and when I ran it the AI pointed out the code wasn't production ready. Then I asked it to include comments and evaluate the security of the code it wrote and it points out the same potential overflow you did as well as 6 other vulnerabilities including potential directory traversal attacks etc. So did it get lucky or did it just provide a simple, non-production ready example as requested?

    • @FakeNeo
      @FakeNeo Рік тому +60

      Furthermore, it's critical to consider that ChatGPT crafts code sequentially, one token at a time, with no capability to backtrack and modify any previously generated tokens. Consequently, stating that it can't produce secure code might be a misrepresentation. The more interesting question here isn't whether it can generate secure code flawlessly on the first attempt, but rather its overall capacity to create secure code with subsequent iterations and refinements.

    • @KayOScode
      @KayOScode Рік тому +46

      So it can only give cookie cutter answers that have been written 1000 times. Not impressive for an Ai that’s going to take over the world to give school project answers

    • @meowcat5596
      @meowcat5596 Рік тому +27

      @@FakeNeo the beginning of your comment seems AI generated

    • @torarinvik4920
      @torarinvik4920 Рік тому +18

      @@KayOScode Nobody says ChatGPT in it's current form is going to take over the world, at least not someone worth listening to.

    • @matj-ai
      @matj-ai Рік тому +3

      @@KayOScode so dont use it. we all gonna use it tho thoughtfully tho, not blindly.

  •  Рік тому +507

    The first code is not vulnerable to buffer overflow (simply using sscanf does not make your code vulnerable). The read function reads into a set buffer only a set number of characters so it protects the call to sscanf.

    • @hisoka9186
      @hisoka9186 Рік тому +30

      you can overflow the format string and even the buffer with sscanf, you can look about unsafe-sscanf

    • @savagesarethebest7251
      @savagesarethebest7251 Рік тому +17

      I was thinking the same thing, but it is still unsafe say if a human would to mess with the code 🤣

    • @thebuffman5597
      @thebuffman5597 Рік тому +33

      @@savagesarethebest7251 From what I saw everything in C is unsafe lol
      I remember asking chatgpt to explain random number generation to me, etc.
      Then somehow we ended up on the arbitrary inputs in C and basically it's really easy. Meanwhile in Java, etc. it is almost impossible.

    • @jaceg810
      @jaceg810 Рік тому +66

      @@savagesarethebest7251 I challenge anyone to write code that is readable, somewhat efficient and cannot be made unsafe by a human messing with it. Any code can be compromised by changing the code.

    • @noble7065
      @noble7065 Рік тому +30

      @@savagesarethebest7251 And a car becomes unsafe to drive if someone plays around the engine block like an idiot. Almost any code can be made unsafe by tweaking it.

  • @programmingjobesch7291
    @programmingjobesch7291 Рік тому +138

    8:20- Idk if this is common knowledge or not, but- you can tell chatGPT to continue writing code where it left off when it cuts off before finishing.

  • @ArjanvanVught
    @ArjanvanVught Рік тому +335

    While working with ChatGPT and code reviews, then I get several times : “I apologize for the confusion caused by my previous incorrect statement. Thank you for pointing it out, and I apologize for any inconvenience caused.”

    • @Those_Weirdos
      @Those_Weirdos Рік тому +22

      Ask "Are you sure?" or other challenge prompts 3 times, at least. This reduces your ability to prompt GPT4 to 25% of your provisioned prompts, but maybe you'll get an accurate response in the end.

    • @sophiacristina
      @sophiacristina Рік тому +153

      Or when it is like:
      "You done the math wrong!"
      ChatGPT: "You are right! Here is the corrected version of your code: [wronger math]!"

    • @maritoguionyo
      @maritoguionyo Рік тому +86

      @@sophiacristina sorry for being wrong...
      Here's another wrong solution!:
      ...

    • @gagaxueguzheng
      @gagaxueguzheng Рік тому +6

      @@sophiacristina Exactly.

    • @JohnSmith-ox3gy
      @JohnSmith-ox3gy Рік тому +7

      @@sophiacristina Still marginally better than trying to gaslight you into accepting it is correct.

  • @raferatstudios
    @raferatstudios Рік тому +96

    For the first example, I would consider another exploit. The user can control the filename and the path and at the same time you run it as superuser. This could lead to file leaks when in production.

    • @hoi-polloi1863
      @hoi-polloi1863 11 місяців тому +10

      Hmm ... like asking for ../../../etc/sudoers or something?

    • @cleverca22
      @cleverca22 8 місяців тому

      @@hoi-polloi1863 yep, thats the very first thing i saw, and he ran it as root, so no trouble with permissions!

    • @playsenge4998
      @playsenge4998 5 місяців тому

      Not really. That is something that any sane copy-paster should expect, and it's not like you asked it in the query to limit what files it reads.

  • @timsmith2525
    @timsmith2525 Рік тому +16

    Back in the late 1980s, people were talking about how code generators (I think they were called 4GL languages, or something like that) were going to replace programmers. Over 30 years later, I'm still banging out code on a keyboard.

    • @seriouscat2231
      @seriouscat2231 9 місяців тому +1

      Fourth generation language languages.

    • @jwithersooon
      @jwithersooon 7 місяців тому

      I firmly believe that we will adapt and stay “in” even with all this ai stuff end of the day if the ai is the only thing coding then who can monitor what it creates?

    • @seriouscat2231
      @seriouscat2231 7 місяців тому

      @@jwithersooon, you can understand code by reading it.

    • @seriouscat2231
      @seriouscat2231 7 місяців тому

      @@jwithersooon, also, an AI can only copy, paste and mix code that a human has created. An AI does not understand anything and the only way for an AI to know the code it has generated is valid is by attempting to compile it. You need human intervention to write tests.

  • @dougpark1025
    @dougpark1025 Рік тому +25

    You make a solid point here. I have for some time held the opinion that using an AI to write code is dangerous in that my assumption is that the AI is trained on public code, as you mentioned. For anyone with solid programming experience we all know not to trust public sources. Even open source, which sometimes is held up as a good way to make code better because many people look at it, is very often filled with very good examples of how not to do things.
    I teach graduate level class and I decided to try to get ChatGPT to generate a very solution to a very simple assignment. Eventually I got it to generate what I asked for. But as with most students, it didn't pay attention to what I told it to do. Which required quite a few iterations.
    I was impressed that it came up with some solutions that I had not been aware of. In the end I think that the ability to have an AI generate code is potentially a useful tool. However, as you pointed out it is often not going to give you a great answer.
    I also asked ChatGPT and Bard to generate a C++ 11 thread pool. They both gave a good answer. But the answers were so similar that it seemed like they were using the same source.
    I think this technology is worth using, but like any other tool, you need to understand limitations. Just like a nail gun and a hammer can both do some of the same things, there are cases where each is a better or worse choice. Think of it as a tool. Maybe a good way to find the start to solving a problem, but not yet a tool for blindly using it to solve problems.
    As a follow up. Take the code that was generated and ask it to review for potential buffer overrun vulnerabilities and see how it does.

    • @garywilliams4214
      @garywilliams4214 Рік тому +9

      While I agree with what you say, I think there is one extremely valuable use for ChatGPT code: for generating unit tests. One of the hardest tasks I had as a team lead was getting programmers to generate and run unit tests. At least 90% of code errors could (and should) have been detected by thorough unit tests. Unfortunately, programmers are almost always under time pressure and writing unit tests is an easy sacrifice to make. In addition many unit tests are mind-numbingly boring to write because they often need exhaustive testing. Unit tests are often very easy to write using a fairly limited set of fixed rules (e.g., “test boundary conditions”). I believe this is an area where GPT could truly aid human programmers by taking on a burden that is seldom done correctly and thoroughly by humans.

  • @PlayBASIC-Developer
    @PlayBASIC-Developer Рік тому +30

    use 'Continue" to make GPT to continue a previous long post. Otherwise it defaults to the ending when the standard output token is reached.

    • @superslammer
      @superslammer Рік тому +1

      This doesn't always work... not only does it sometimes repeat the entire code and get cut off again, if he does actually continue the formatting is destroyed. We need more output tokens. Right now its 2048.

    • @2railnation
      @2railnation Рік тому +2

      "Did you stall?" Or "You seem to have stalled " has worked better than 'continue' for me. It will restart the step instead of just continuing where you get the issues with explanations in the code box and code on the explanation area.

  • @xXrandomryzeXx
    @xXrandomryzeXx Рік тому +28

    It's really sad seeing people depending on ChatGPT to write code, instead of learning how to code. It's also stupid to believe that a company would use ChatGPT instead of a real human.

    • @exception05
      @exception05 9 місяців тому +1

      I thought about true AI when it'll be here. Some people claims that we'll become stupid and lazy. Actually I don't think so, because people love to compete with each other, sometimes just for sport, with no reason. So I think even if we'll have a Skynet-level AI, we'll be competing with each other just for fun. But maybe the gap between smart and stupid people will be horribly huge.

    • @overbored1337
      @overbored1337 9 місяців тому

      ​@@exception05We already are lazy and stupid in general, and thats why invent stuff like Python 🙂

    • @yesyes-om1po
      @yesyes-om1po 7 місяців тому +2

      @@exception05 using AI to code makes me lazy, and usually the code sucks/has tons of glaring issues. It's a bit like cheating in a game, except the cheats don't actually get you what you want anyways.

  • @kieranclaessens5453
    @kieranclaessens5453 Рік тому +255

    I thought we were all collectively not going to talk about that, for job security

    • @FinnBrownc
      @FinnBrownc Рік тому +16

      or species security

    • @vitalyl1327
      @vitalyl1327 Рік тому +16

      meh, relax, with the current state of LLMs they won't replace programmers any time soon. Likely, never.

    • @juniuwu
      @juniuwu Рік тому +33

      @@vitalyl1327 I think it's highly telling that those who claim LLMs will replace programmers are either non-programmers or not so good at it.

    • @J.erem.y
      @J.erem.y Рік тому +3

      @@juniuwu That is most of the people. And that;s kind of the point isn't it? Chat GPT is technically 7 months old now and is on the verge of replacing, most of those people. What you will have is a sever minority of really amazing human coders, with an army of assistants. Dev teams will wither to nothing. The issue isn't total replacement, just the majority. then eventually everyone.

    • @FictionHubZA
      @FictionHubZA Рік тому +3

      @@juniuwu Very true. Lots of normies claiming chatgpt will replace all jobs including programming. Yet they can't even explain how it works.

  • @electra_
    @electra_ Рік тому +8

    Another vulnerability with the first code which can actually be exploited: you can put a .. in the filename and exit the scope of the program. A server that serves files should ensure that it's only able to serve files inside its own scope to prevent you from essentially reading the entire computer's file system.
    For the buffer overflow, read just reads bytes while sscanf expects a null-terminated string. So if the memory in the buffers was not zero-initialized, this could cause sscanf to recieve a longer input than expected, causing a buffer overflow. No obvious way to control it but it is an issue.

    • @mrpocock
      @mrpocock 8 місяців тому +1

      Yes and yes. The accidental null termination thing was tickling my spidey senses.

  • @DiThi
    @DiThi Рік тому +23

    4:10 I thought you were going to talk about the path transversal vulnerability after that. It's not as terrible as a buffer overflow, but it is still pretty bad IMHO.

  • @kingwoodbudo
    @kingwoodbudo Рік тому +36

    I don't recall if you mentioned the version you were using. If this is the initial offering of GPT, have you tried the same things with the 4.0 version?

    • @ramadanomar8001
      @ramadanomar8001 Рік тому +13

      He’s using the free version or the 3.5 version. The logo for gpt4 is black

    • @zzink
      @zzink Рік тому +9

      @@ramadanomar8001 The gpt4 logo is purple as of yesterday

    • @kingwoodbudo
      @kingwoodbudo Рік тому +1

      @@ramadanomar8001 Thanks, Omar.

    • @yesyes-om1po
      @yesyes-om1po 7 місяців тому

      4.0 is better, but it still leaves much to be desired

  • @alextrebek5237
    @alextrebek5237 Рік тому +5

    @2:34 For anyone who isn't trolling: buffer and filename both have the same size BUFFER_SIZE. However, sscanf uses chars as parameters and doesn't null terminate. However, the format "%s" string is used. so if a non-null terminated value is passed, or the null is past sizeof(BUFFER_SIZE) bytes, undefined behavior occurs. In this case, a buffer overflow, because sscanf doesn't have bounds checking. This can be verified via reading the source of GLIBC, obtained via compiling gcc. Or from debugging libstdc++.so.6

  • @gaius_enceladus
    @gaius_enceladus Рік тому +39

    I asked it to generate some C code and halfway through I start seeing *templates* in the code - it had switched to *C++* halfway through!
    Hopefully they'll release a version soon that has longer output (so it can generate longer code).
    I'd also like to see it be able to *test* the code by running it in a VM. That'd save a lot of time, meaning you wouldn't have to ask it to fix broken code.

    • @slendermantm7218
      @slendermantm7218 Рік тому +3

      Lmao ☠️

    • @gregoryshoemake
      @gregoryshoemake Рік тому

      Just write your own code pleb

    • @rz1_1221
      @rz1_1221 Рік тому +1

      ChatGPT also struggles with more obscure programming languages, such as QBASIC. When I ask it to program in QBASIC, it will make indentations (QBASIC code has no indents), use parentheses where there should not be any, and when I try to compile it, it does not even work 😂

    • @haraldbackfisch1981
      @haraldbackfisch1981 Рік тому

      They already burn the equivalent of full blown countries in cash and energy just getting to this level, imagine if it was more complex AND had to compile Code plus debug it while actually reasoning...
      That's why I see this whole AI as a scam, bc it does not seem feasible at all and even if possible not sustainable...

  • @jsalsman
    @jsalsman 11 місяців тому +15

    I don't think it was fair to call the first one vulnerable. Yes, sscanf is bad, but it was legitimately guarded by the maximum read length.

  • @css2165
    @css2165 Рік тому +6

    doesn't the first example have a directory traversal vulnerability? since it takes the file name without filtering, one could perhaps put in something like "../../../../../etc/passwd" and it could just spit out the file contents. please correct me if i'm wrong

    • @lerarosalene
      @lerarosalene Рік тому +2

      Or even localhost//etc/passwd. It just skips the first slash.

  • @anon_y_mousse
    @anon_y_mousse Рік тому +64

    You should post the generated code somewhere and add a link to it in the description. I have a feeling that there's more vulnerabilities in the first example than just a possible buffer exploit, such as not flushing the file buffers possibly causing an issue with subsequent reads, and the most obvious issue which you hinted at but didn't expand on about file permissions. Running as root would give remote access to all the files on the system.

    • @Those_Weirdos
      @Those_Weirdos Рік тому +6

      > Running as root would give remote access to all the files on the system.
      No shit, Sherlock. He had to run it as root because he wanted to bind on port 80 and didn't bother to use a wrapper or implement privilege dropping. He could have also just altered the program to bind above port 1024.

    • @anon_y_mousse
      @anon_y_mousse Рік тому +8

      @@Those_Weirdos Great response. "He had to run it as root", but not if he'd taken either of these two steps I'm enumerating that prove he didn't have to.

    • @heckerhecker8246
      @heckerhecker8246 Рік тому +1

      @@anon_y_mousse I'm sorry but, " I'm enumerating that prove he didn't have to. " what?

    • @anon_y_mousse
      @anon_y_mousse Рік тому

      @@heckerhecker8246 Learn English, it'll help you.

    • @heckerhecker8246
      @heckerhecker8246 Рік тому +2

      @Anony Mousse I know English, " enumerating prove" is not correct
      Maybe you meant proof, I can prove to you I know English as I am talking in English, the proof is this comment.

  • @Wielorybkek
    @Wielorybkek Рік тому +47

    Isn't cyber security actually a pretty well-defined domain with very clear goals? Security vulnerabilities are very well documented and free from interpretation. It would make it a perfect field for AI where it's just a matter of alignement and pre-training or pre-prompting.
    Also, I am not sure what your answer from Chat GPT was but when I asked it to write an HTTP server it added "Note that this code is a simple implementation and does not include error handling for all cases. In a production environment, it's important to handle errors and edge cases carefully." so it clearily tells you it's not production-ready.
    Then guess what, I asked Chat GPT if there are any security issues in the code it gave me and it provided a pretty long list of issues with explanations. You can then ask it to fix the security vulnerabilities and give you the much better version which it did.

    • @rameynoodles152
      @rameynoodles152 Рік тому +27

      Yeah, the only reason he made this video was to have a low-effort jab at the AI that he feels might replace him. He didn't try to give it a fair chance, he just wanted to make himself feel better, which is understandable, but it makes for a poor test with upset viewers. He could have done a higher effort job though, and still came to similar conclusions, because once a project starts getting more complicated, the AI starts to show it's shortcomings.

    • @Wielorybkek
      @Wielorybkek Рік тому +16

      I think if this video was upload few months ago maybe it would get better response but nowadays most of the people already know the code generated by AI is not production-ready. The same way you could make a video about copy-and-pasting code from Stackoverflow without reading it.
      I feel like nowadays people are more concerned about what AI can do in the future, and this video is not addressing it and even shows some ignorance in the subject.
      It would be actually genuinely interesting to watch a video about what security vulnerabilities can be found in an AI-generated code but unfortunately the video had a too salty vibe.

    • @realdragon
      @realdragon 11 місяців тому +1

      AI isn't a person it doesn't learn like people do

    • @AnEnderNon
      @AnEnderNon 11 місяців тому

      ?@@realdragon

    • @seriouscat2231
      @seriouscat2231 9 місяців тому +1

      Alignment is a fictional concept. In reality it's like talking as if your hammer or screwdriver might have their own goals or disagree with what you want to do.

  • @wlockuz4467
    @wlockuz4467 Рік тому +43

    Have your tried iterating over the generated code with ChatGPT? Prompt it to find the vulnerabilities in the code it wrotn and then the corresponding fixes.
    Would be an interesting video.

    • @b4ux1t3-tech
      @b4ux1t3-tech Рік тому +16

      The thing is, if I know enough to tell ChatGPT what and where it got the code wrong, I know enough to write it correctly in the first place.
      I don't think it's a valid use case to sit there and walk an AI through basic programming problems, when doing the same with a developer would lead to a developer who _stops making those mistakes_.

    • @r3dchicken
      @r3dchicken Рік тому +4

      Not necessarily, you may just have to ask it to find the issues in the code and to solve them. No need to point out where the issue is.

    • @wlockuz4467
      @wlockuz4467 Рік тому

      @@b4ux1t3-tech I am not speaking from a whether it can do your job perspective, just whether or not its actually able to spot the vulnerability and provide the fix.
      I have never seen its as a replacement for devs. Always seen it as a productivity tool, especially when using some new tech, for example a language or library.

    • @b4ux1t3-tech
      @b4ux1t3-tech Рік тому +1

      Right, I'm speaking from a tooling perspective too.
      If I know enough about a problem to frame a good prompt for ChatGPT, I know enough to find the correct documentation to grab whatever boilerplate I need for a new API/language/whatever.
      And those docs are going to be (generally) correct. ChatGPT gives the illusion of correctness because all it does is answer the question "what sounds like a good answer to this prompt?"
      Other tools, like Copilot (just as an example), are code-focused, and as such are better than ChatGPT for this kind of thing.

    • @wlockuz4467
      @wlockuz4467 Рік тому

      @@b4ux1t3-tech But the back and forth brainstorming with ChatGPT just feels so human its unbeatable for me.
      I know half the times its not accurate and will just make up things but it's still an impressive technology.

  • @mytechnotalent
    @mytechnotalent Рік тому +59

    Great one! ChatGPT, I agree, will not replace programmers. Over time it will get more sophisticated but ultimately a human set of eyes needs to remain in control.

    • @julian-yo1oq
      @julian-yo1oq Рік тому +3

      I agree, but with AI tools becoming more and more sophisticated, i think there's definitely the possibility that it will replace many jobs in the industry. Definitely not all of them- but it will change the way software developers work fundamentally. Instead of a team of ten devs you might only need a few to ensure stability and security.

    • @arwlyx
      @arwlyx Рік тому +14

      I want to remind you and the video maker that chatgpt is not a programming AI, it happens to be able to do some of it. An AI strictly trained for this purpose wouldn't make these mistakes nor any mistakes a human would if it was trained correctly, let that simmer.

    • @ChrisM541
      @ChrisM541 Рік тому +5

      'Artificial Intelligence' (not today's dumb pattern matchers) - in the distant future - absolutely, 100%, WILL replace programmers...and, of course, many, many other jobs. Unfortunately/fortunately.

    • @Magicwillnz
      @Magicwillnz Рік тому +8

      @@ChrisM541 The sort of AGI you're referring will not just replace jobs, but probably humanity too. We are quite stupidly building superintelligences without understanding what we're doing.

    • @KayOScode
      @KayOScode Рік тому +1

      @@julian-yo1oq I think fewer people will join the field, and those that do will be bad programmers. That’s job security in my book

  • @donaldmickunas8552
    @donaldmickunas8552 Рік тому +28

    My concern with even starting to learn C is this. Where can I go where I can avoid learning bad coding habits? Is there a C programming course that you would recommend?

    • @PatrickKusebauch
      @PatrickKusebauch Рік тому +1

      ua-cam.com/play/PLnuhp3Xd9PYTt6svyQPyRO_AAuMWGxPzU.html

    • @anon_y_mousse
      @anon_y_mousse Рік тому +3

      I would add to what's already been recommended with reading the ISO standard for C, the erratas and the rationale, as well as read both the Intel and AMD optimization manuals as they do include some examples in C. But more importantly, I would also recommend learning assembly at the same time, but not in its entirety at first, rather the subset that your compiler of choice uses. I use gcc, so if you were to use the assembly generation flags to try and understand how it generates code, gcc -masm=intel -o foo.asm -S foo.c is the method you'll want to use. On top of all of that, I would recommend reading the source code for long used open source programs.

    • @shanehanna
      @shanehanna Рік тому +8

      Don't use a single source but also continue to ask ChatGPT; seriously. If you give it the prompts and code shown in this video it finds all the same issues with its own code. The model has a bias towards simple examples not production ready code but it's also pretty good at finding and explaining issues like the ones pointed out in the video, if you ask it. I mean he could have just prompted "Are there any security vulnerabilities in the code you just wrote?" and ChatGPT would have pointed out 5-10 of them.

    • @Rob34570
      @Rob34570 Рік тому +3

      @@shanehanna Agreed, I was waiting for him to do this at the end of the video

    • @anon_y_mousse
      @anon_y_mousse Рік тому +10

      @@shanehanna No, don't use ChatGPT or any LLM, especially not if you're trying to learn how to program. It isn't a sentient being and will be incapable of finding deep mistakes. It's better to learn from a sentient being which can point out these deep mistakes.

  • @draakisback
    @draakisback Рік тому +3

    Not only does it suck at security, it also sucks when it comes to performance and idiomatic code, basically any metric outside of writing code that potentially makes sense, ML can't really understand. Not that it even understands the code it's generating in the first place which makes all of this even more funny. Ithere are so many articles talking about how this version of AI is going to lead to generalized AI, meanwhile many of the researchers have basically acknowledged the fact that these algorithms are not going to take us that far. Even when we get to GPT 8 or 9, these systems are still going to need chaperones who understand the domain of whatever it is that they're trying to generate. No matter how much data you throw at a neural network that was designed this way you're not going to get true understanding.

  • @FJL4215
    @FJL4215 Рік тому +3

    In addition to the file traversal issue, doesn't also the http server have an issue where + 1 to skip the leading slash skips the NUL terminator if the filename is empty, uses the uninitialized filename if sscanf fails to match and also has sscanf read a non-terminated buffer if there is no NUL terminator on the incoming data or if it didn't fit in the buffer :)
    Everything is super borked everywhere. There are like two vulnerabilities per line of that function.

  • @suleyk4063
    @suleyk4063 Рік тому +28

    GPT4 is SIGNIFICANTLY better at coding. I would try again with that one, and specify that you want the code to be secure.

    • @theninjascientist689
      @theninjascientist689 Рік тому +1

      I think the main issue is most people will not be using GPT-4 because it costs money and newbie programmers won't (and shouldn't have to) think to specify that it writes secure code.

    • @vlOd_yt
      @vlOd_yt Рік тому

      @@theninjascientist689 Why would you use a LANGUAGE MODEL as a teacher for coding?

    • @melon1971
      @melon1971 Рік тому

      @Transistor Jump How?

  • @ClodoaldoBrasilino
    @ClodoaldoBrasilino Рік тому +5

    On the first example, you went for a buffer overflow attack but the code was secure towards it. But I tried the same prompt and was able to do a path traversal attack.
    Still, we must be careful.

  • @skylervanderpool3522
    @skylervanderpool3522 29 днів тому +1

    I’m not a coder but I’m willing to bet if you ask the bot to check the code for vulnerabilities it would come back with improvements

  • @X21XXI
    @X21XXI 9 місяців тому +1

    That "good luck with your implementation!" was a total diss, lol. It's like Chatgpt was subtly saying "I dare you to try it without me, I'll be here when your attempt flops"

  • @themilkman3118
    @themilkman3118 11 місяців тому +3

    I find it's better at helping figure out why your code isn't doing what you want rather than writing from scratch. Copy a function, tell it the language, what it takes and returns, and ask why it isn't doing x.

    • @meowsqueak
      @meowsqueak 8 місяців тому

      I agree. Like any tool, it has uses it is better suited towards, and explaining compiler errors and perhaps logic errors seems to work a lot better than just asking it to generate code.

  • @ViveganandanK
    @ViveganandanK Рік тому +2

    Some issue I have seen for Java -
    1. Code compilation issue which seems like an deal breaker
    2. Libraries to import for the code is not valid
    3. Sometimes we end up asking follow up questions for longer time which decreases the productivity. We would be better served if we tried writing our own code. Feel I was faster without ChatGPT support
    Now for some advantages for Java -
    1. It is able to collate different libraries and provide suggestions for some scenarios. It maybe able to do this because of the massive data it has been fed into.
    2. Even if the code is not able to compiler it is able to give us the initial 20% push. Google was doing it but Google used to come in the middle of our programming cycle and give us some 10-20% push by helping us search for solutions to similar issues which others faced
    But one question which we need to find out is ChatGPT able to learn from the libraries and give us solutions or as an language model is it just rehashing the documentation and gives us an output. If it’s the later then it might not be of much help for badly documented libraries which are like all the libraries in Java. This might also explain its issues with code compilations

    • @bramfran4326
      @bramfran4326 Рік тому +1

      I have found advantage #1 very useful! Saves an hour searching multiple SW pages.

    • @ViveganandanK
      @ViveganandanK Рік тому

      It seems to be getting better in issue # 3 now with lesser follow ups and with better answers in first attempts. It might be due to the bigger context memory created for my account with constant use; which it can refer. Or they may have integrated ChatGPT 4 features in ChatGPT 3 or some enhancements in their LLP model.
      I am using Google a lot less than previously now.

  • @LogicEu
    @LogicEu Рік тому +7

    I could not agree more! ChatGPT is inconsistent and I feel its coding answers are like the shitty averages of stackoverflow and wikipedia. By the time you manage to get a nice program out of it with various prompt iterations, you probably understand enough of the problem that you could already wrote it by yourself better. It's also a learn killer.

    • @MrTomyCJ
      @MrTomyCJ 10 місяців тому

      Calculators are also lean killers. If you want to learn programming you have a point, but if you just want to program, maybe not so much.

    • @NewShoesGr
      @NewShoesGr 2 місяці тому

      @@MrTomyCJ But dont u need to learn programming to program?

  • @nullplan01
    @nullplan01 6 місяців тому

    5:55 buf is an array of type char. Char has implementation-defined signedness. len is initialized from a value from that array. If you happen to compile this with an implementation that has signed char (GCC has a switch for that), you can set len to a negative value. When promoted to size_t (for the last argument of memcpy), this will be increased by SIZE_MAX + 1. Meaning the memcpy() will try to copy most of the address space.

  • @nullplan01
    @nullplan01 6 місяців тому

    2:35 The buffer overflow you found doesn't actually exist, since the variables "buffer" and "filename" have the same size, and the %s can match at most part of the buffer. The more important issue is that the return value of sscanf() is not checked, so filename might be uninitialized after. Also, sscanf() requires a null terminated input, but nothing in the code provides that null termination at all. Even the good cases only work with luck. read() provides the raw network data with nothing added.
    Of course, there is also a directory traversal vulnerability. You are running the server as root, so it has access to all the files, and simply getting ../../../../../etc/shadow will read out the shadow database. Actually, since it isn't parsing the file name, it would be enough to get //etc/shadow.

  • @coolmind2476
    @coolmind2476 5 місяців тому +5

    One bad programmer creates 100 jobs for IT support. So chatGPT will create a lot of new jobs 😂

  • @Modemon57
    @Modemon57 Рік тому

    8:22 woops? At that moment, is "Continue" letting GPT to continue outputing? Or the rule has changed?

  • @LiEnby
    @LiEnby 10 місяців тому +1

    the first one has another vulnerablity, the filename is opened directly without stripping out any "../" or "./", it also allows a absolute path to be accessed with //, like GET //etc/shadow would leak your shadow file
    I think that technically the sscanf is safe ulthough it is a bit sketchy, bceause the filename and buffer size are the same

    • @tunichtgut5285
      @tunichtgut5285 10 місяців тому

      That's exactly what caught my eye. The sscanf is safe.

  • @SaintSaint
    @SaintSaint 7 місяців тому +1

    So I added these prompts into GPT 4. I modified the prompt as follows "User
    can you write secure code for me, in C, an http server that listens on port 80, parses an http request from the client, and serves an HTTP response wit the corresponding file"
    GPT 4 gave me vuln code with the above caveat: "
    Here's a basic example of a secure C HTTP server listening on port 80, parsing requests, and serving files. Remember to implement additional security measures like input validation and error handling for production use:"
    I provide GPT 4 a second prompt as follows "Implement additional security measures like input validation and error handling for production use."
    It fixed nothing and removed functionality.

  • @nathanbanks2354
    @nathanbanks2354 Рік тому +5

    I ran into a similar problem with GPT-3 allowing SQL injection. However GPT-4 is much better. It still needs some creative prompts and people to curate the code, but I've been very impressed with how fast it can do stuff like write unit tests. It's a good tool, but it can't do stuff on its own yet.

    • @georgehelyar
      @georgehelyar Рік тому +1

      You don't want a tool to write your unit tests for you. Your unit tests are how you specify the correct behaviour. If anything you want to write your own unit tests and then generate code that passes your tests.

    • @nathanbanks2354
      @nathanbanks2354 Рік тому +1

      @@georgehelyar I'm quite happy to make a structure, ask GPT-4 to fill in a bunch of random values, and then do some simple tests on them. There's so much boilerplate that I'll admit I'm too lazy to do. Perhaps test driven development would be a better approach, but GPT-4 is much faster.
      For example, I recently tested a multi-threading system by getting GPT-4 to make a bunch of Java threads and execute them simultaneously. It was nice not to have to look up how to use an ExecutorService again since I'd rather be programming in Python anyway. And I could tell by the output that everything was working in the end.
      On the other hand, I asked GPT-4 to reformat a constant array with ~150 numbers in it, and it kept on deleting or adding elements. There were sequences of 0's which made the most probable next "word" (ie digit) difficult to predict. However it spat out a python program to reformat the array for me pretty quickly...

  • @cookie_of_nine
    @cookie_of_nine Рік тому +9

    The TLV example (6:24) has problems, but unlike what the video claims, overflow (on write) is not an issue. Although it's correctly noted that an signed value is used as a length (one element of buf, a char stored temporarily in an int) which can cause issues since it can produce a gigantic length when cast to an unsigned value, the actual destination of the memcpy (i.e.: *char value[len];*) will also be that size (I checked), so memcpy won't overflow in the traditional sense. It can definitely be used to DDoS your server as allocating a huge buffer and filling it will take a long time if it doesn't outright fail on the allocation, but it won't overwrite the memory adjacent to the output buffer since the destination will always be "big enough" if the allocation succeeds.
    It can however read data after the end of the input buffer since the parsing loop only makes sure that the starting position each iteration before reading is in bounds. It doesn't check if it can read the next byte needed for len without running off the end, nor does it check if the extra bytes specified by that length value are in bounds. Reading an absurdly large number of bytes due to a negative len will likely never succeed, but with a positive value passed for len in a message stored at the end of the buffer, up to 127 bytes of memory after the end of the input buffer can be reliably read and returned to the attacker, which is similar to heartbleed, albeit far more limited.
    Still a failure mind you, and it's somewhat disheartening to see that Chat-GPT can make sign conversion mistakes, a common issue in C code.

    • @pifdemestre7066
      @pifdemestre7066 Рік тому

      Yes, the first problem here is more a stack overflow anyway (the memory is allocated on the stack)

  • @fus3n
    @fus3n Рік тому +10

    If you are testing ChatGPT why not use the 4.0 version, I mean it is actually a lot better. You know testing the newest tech would be a better option here, its like finding a bug on a older version of a software, either way I am with this, ChatGPT cant write pure and secure code cuz it wasn't only trained on only secure code its same for 4.0 too.

    • @youreyesarebleeding1368
      @youreyesarebleeding1368 Рік тому +2

      4.0 costs money, he might not want to give OpenAI money just to make the video

    • @fus3n
      @fus3n Рік тому +2

      @@youreyesarebleeding1368 Well if we gonna blame their tech why be unfair about it, I am sure he can at least pay for first month and cancel.

    • @youreyesarebleeding1368
      @youreyesarebleeding1368 Рік тому

      @FUS3N I'm just saying, and to be fair he did say ChatGPT in the title, not GPT4.0.
      I've got GPT4 myself, i use it all the time for programming, but i don't just copy/paste code from it. I ask it questions like "make a list of the pros and cons of these two ways of implementing a problem" or I use it as a way to quickly reference syntax, or to tell me about mathematical methods to solve problems.

  • @alizaidi5610
    @alizaidi5610 Рік тому +2

    While these examples show the limitations of chat gpt, I don’t believe they’re the reason developer jobs are ”safe” for the foreseeable future.
    Chat GPT is great at generating boiler plate code for standard beginner tasks in every language and framework.
    However, where it becomes borderline useless is in larger code bases (often times just a few files) that contain more moving parts than just creating a simple crud api with a single model.
    Even in the examples cited in this video, it’s possible to prompt GPT to write more secure code. However, attempting to prompt your way through a more complex and larger code base is an entirely different struggle.

  • @wmrieker
    @wmrieker 8 місяців тому

    3:44 but there's no null terminator on the buffer read in so the sscanf could possibly run off the end, depending on what is on the stack after the read buffer.

  • @Lampe2020
    @Lampe2020 7 місяців тому +2

    1:42 "What da dog doin'?" XD

  • @whtiequillBj
    @whtiequillBj Рік тому +1

    what are the possible implications of ChatGPT's code being illegal due to not following the license of the code that its "learning from".

  • @8xis
    @8xis Рік тому +2

    would be cooler if you showed how to fix those vulnerabilities😭
    8:27 just type "Continue" and it will continue the code

  • @lukeblackwell7126
    @lukeblackwell7126 Рік тому +3

    Hey just curious, is this GPT 4.0 or 3.5?

  • @MuhammadQosim
    @MuhammadQosim Рік тому +8

    This content reminds us to specify / describe completely in prompts, all necessary things that we hope the output of robo typer (chatgpt) will be.

  • @JamesLewis2
    @JamesLewis2 Рік тому +1

    I don't know whether anyone else noticed this, but the TLV server just used the character codes of the first two characters in the string as the type and length; this might be an intentional part of the encoding scheme, though (a single-byte type and a single-byte length, with "a" and "s" just interpreted as their ASCII codes, respectively 97 and 115).

  • @Birdkokane
    @Birdkokane 8 місяців тому

    So what can the gpt code be used for? if it creates bad code that gives new developers thee wrong 'template' code, and experienced coders do not use gpt, then what is left? is there some middleground?

  • @brianhanson1713
    @brianhanson1713 8 місяців тому +1

    "If I use the free stupid version of chatgpt, and it makes a program, the program works and is secure unless the programmer adds additionalcode to make it insecure, 0/1".
    Huh? Give me any program and I can drop a few lines of code to turn a secure program into an insecure program, that doesn't make the original program insecure...

  • @dominick253
    @dominick253 Рік тому +3

    I like how it did it perfectly and you still said it messed up 🤣😂🤣

  • @andreaskrbyravn855
    @andreaskrbyravn855 Рік тому

    First question did you specify it needs security no. So how should it know

  • @joojiebee
    @joojiebee Місяць тому

    I've been testing Anthropic's claude-3.5-sonnet and found it introducing bugs in quicksort (Javascript) during a module test. Although its reasoning is impressive, Claude would fix one failing test case and introduce another bug in the process. AI required 2-3 leading questions and corrections to arrive at the correct fix.
    Test methodology:
    1. introduce a 1-2 line bug in quicksort.js (outside of AI-enabled IDE)
    2. copy bugged code to codebase
    3. start a new chat in AI-enabled IDE (to reset the context)
    4. prompt AI with failing test result and purpose of the test. Example:
    The quicksort function has a bug and fails test 1.4. It does not sort the array with undefined values correctly. Do you know what is wrong with quicksort?
    Cases: non-deterministic comparator, incorrect sort of 3 element list using 3 comparisons, alternative initial value of "left index"

  • @novantha1
    @novantha1 Рік тому +3

    So, a few notes from somebody who is more into LLMs, but isn't as experienced with low level languages as probably a lot of people here:
    1) Prompting will be a massive part of producing effective results with AI language models. Now, you might argue "the prompt shouldn't matter, people who don't know what they're doing are going to use this, and not know when to prompt to fix a non-compilation related issue.", but this doesn't quite work as a rebuttal, because there appear to be "generic prompts" or techniques that should be used pretty much no matter what type of work you're doing. I'd be very interested to see this video again, but with something like Smart GPT (A particular style of prompting ChatGPT that allows multiple instances of it to generate, and assess its own answers in a very specific and apparently very effective framework). Regardless, it's also worth noting that many of these advanced prompting techniques may actually be worked into existing models in some capacity, either directly in the client automatically applying them when applicable, or in training, by fine tuning a model on its own responses generated by these advanced techniques, which leads into
    2) The mobile nature of LLMs. They are not a static target or tool; they're in active development and are absolutely on fire. It's worth noting not just what we have today, but the general direction of the industry, because even if a tool doesn't exist today, people are working on it actively. If you have a tool that's generating 80, or 90% of what you need, it doesn't take that much to get that remainder, and probably requires a smaller change to either the style or content of its training to get you where you need to be. ChatGPT...Probably isn't going to replace programmers, but I do think that future advancements in the field will be very important for programmers to watch.
    3) ChatGPT isn't the only model, and there's new approaches all the time. As it stands, ChatGPT is a bit like if you took a person, and gave them all the books they needed to become very well read on a wide variety of topics. This, in reality, isn't how humans have learned their trades. When you look at how people learn, there is some element of information intake, but a large part of it is experimental study; we learn by doing. I think we're not far from someone coming up with a technique that's more suitable to coding, possibly derived off a specialized version of WizardLM's training technique, you could probably produce domain specific models, or LoRA, that could accurately produce they style of code you needed to tackle that specific problem. Once we have successful small scale models or LoRA that can handle those issues, I think it's not hard to extrapolate that there should be some way of distilling that expertise into a larger model, or incorporating the techniques that allow for these specialized models into a generalized model in some capacity.
    As I noted, I don't think that programmers need to be worried today specifically, but I do think that programmers do need to be paying attention to the space, and developments in it.

  • @CPUfy
    @CPUfy Рік тому +1

    I dont code but Did you try specific that the should be safe?

  • @robottwrecks5236
    @robottwrecks5236 Рік тому

    For the first one, I didn't see a place where it was checking for directory traversal. Did I miss it?

  • @gabrielmartins7642
    @gabrielmartins7642 Рік тому +1

    Chat gpt is a great tool for learning, but you gotta use your critical thinking, it gives you a direction and you improve it. I dont think we can relay on that tecnology yet, other than to ask for specifics uses of certain functions in which it is exceptional. Better than google for search so efficient

  • @exapsy
    @exapsy 11 місяців тому

    2:44 - Vulnerability that lets the user have access to ALL the system's files
    Why? It doesn't sanitize the path from the leading `/`, it just increases by `+1` thinking the user is always sane and will never try to insert more. By inserting one more `/`, you now have complete access to all the system's files.
    Aside from your usual buffer overflow which it seems like a pattern of ChatGPT at that point, this is pretty serious and easy to exploit.

  • @yumekarisu9168
    @yumekarisu9168 Рік тому +9

    I think while chatgpt is amazing at doing mundane task, it really still falls behind for a lot of the advance stuff (though I'm using the free version and not GPT4 so maybe there's a big difference there). I myself doesn't code, but I do write stuff in Japanese and sometimes chatgpt is just confused, sometimes it try to fix a verb with the same exact verb, sometimes it translate a clearly different word as another. I think there's some overhype over AI and fear mongering sentiment that they can replace us now and trying to get better at something is useless because AI can do it in second, but in reality (at least right now) AI is still a tool that like any tool can produce incorrect results and it's our role as the user to use our knowledge to make it produce something good

    • @khiemgom
      @khiemgom Рік тому +1

      Well u cant compare chatgpt coding with japanse, chatgpt was made with coding capabilities in mind while japanese is just side effect

  • @kritik_mb2144
    @kritik_mb2144 Рік тому +3

    Is that Jimmy Fallon writing code at 0:25? 😂

    • @cl-7832
      @cl-7832 Рік тому +1

      Dang...I memory holed that SNL skit and you resurrected it.

  • @severgun
    @severgun Рік тому +5

    Just think about how much such code already goes into production...
    And how much will be in new fancy 'startups'
    I'm not gonna lie, chatgpt got this code from people...

    • @ChrisM541
      @ChrisM541 Рік тому +2

      Chatgpt is also inferring...creating new code based off existing code it's pattern-matched. Unfortunately, the 'inference algorithms' are as far from 'true AI' as you can get...
      --> chatgpt is today's biggest bullsh#tter. Fact.

    • @useodyseeorbitchute9450
      @useodyseeorbitchute9450 Рік тому +1

      I'm not sure whether we should blame AI, or humans whose coding lead to that GIGO moment...

  • @frank6048
    @frank6048 8 місяців тому +1

    I don't think anyone believes GPT4 is going replace programmers.
    But GPT5 has not been released yet. And what about a few years after? What will come in the future?
    You're making the same mistake that people who believed bad fingers in image generation were always be a problem (I think that the speed at which img generation is moving us going to stagnate at some point though).
    Ai has so many sources to access code for free, it feels as if the strength that open source gave is coming back to bite us in the ass. I think we'll see a lot of projects in the future going close in the near future out of fear and as a preventive action

  • @kelali
    @kelali Рік тому

    3:06 is not buffer overflow because request buffer and filename buffers are same size

    • @edbrannin
      @edbrannin 11 місяців тому

      I haven't tried running this locally, but: wouldn't it overflow on a filename of length 1010-1023?
      He tried 1050 in the video, which is caught while reading `filename`, but it seems like a filename that's short enough to fit in the `filename` buffer but too long to fit in the `buffer` buffer when surrounded with "GET " + filename + " HTTP/1.1" would overflow at the sscanf()

  • @Custodian123
    @Custodian123 11 місяців тому

    1. Dont expect it to do a complex task in one go.
    2. Its basically common knowledge that using zero-shot prompts produce worse results for complex tasks vs mutli-shot.
    3. Dont look at where we are, look at where we are going.
    4. Make a video based on Rust. Would be interesting to see if the features would protect the LLM from making such vulnerabilities.
    5. GPT5 or Gemini2. The end.

  • @w1darr
    @w1darr 11 місяців тому

    Why do you assume that writing behind an allocated area crashes a program reliably?

  • @Jarikraider
    @Jarikraider 3 місяці тому +1

    Low Level Learning: "I wanted to see if ChatGPT could solve three relatively simple programming problems."
    Also Low Level Learning: "Write an operating system in assembly that supports x128 architecture."

  • @RandomGeometryDashStuff
    @RandomGeometryDashStuff Рік тому

    06:06 isn't type of buf[i++] char?

  • @tsx7878
    @tsx7878 6 місяців тому

    Gosh. The sscanf vulnerability in not about overflowing the filename because of sscanf without n: it read at most BUFFER_SIZE bytes so due to the additional characters in the buffer it will not produce too long string.
    The problem is that the read call reads bytes into a buffer (not a string!) and sscanf expects a zero terminated string. If the first line is longer then the buffer sscanf will go on through the buffer end.

  • @oscarchampion5842
    @oscarchampion5842 11 місяців тому

    how is 5:58 bad? even if you give it a bad len its not going to overwrite any data it shouldn't?

  • @max1point8t
    @max1point8t 8 місяців тому +3

    without creating security vulnerabilities? It cant even implement the _correct_ data structure when asked to do so. I asked it to show me a simple implementation of a 2-3 tree, it returned an (incorrect) implementation of a ternary heap. That said, you're first strike against chat gpt isnt deserved. You said "lets see if it created vulnerable code" it didnt. You said someone else can make it dangerous, so it fails. What? anyone can take safe code and make it unsafe when they dont know what there doing, no matter WHO writes the code. Thats why we do code review and merge requests, and do team development. Come one dude, do better.

  • @nv1t
    @nv1t Рік тому +1

    ChatGPT is not good for actual software development, but it is good for a fast understanding of a problem. I usually use a LLM with a PDF of Hardware Chips to produce micropython code for some tasks. Not for development or deployment, just scripting what i need in a fast way not needing to read the whole documentation or look up stuff.
    If you use it for fast prototyping is quite nice.
    The problem is not the tool, it is how you use it.

  • @_gwool_
    @_gwool_ Рік тому +8

    I love this video! 😂 your personality is awesome. I’m also a boomer programmer my self and seeing a few of these security flaws was interesting, but some of the way gpt was writing the functions were kind of gross too imo. It’s fine for boilerplate stuff, it certainly types faster than me.

    • @b4ux1t3-tech
      @b4ux1t3-tech Рік тому +2

      You know the funny thing?
      It _doesn't_ type faster than me (or you).
      Because when I know I need boilerplate code, I scaffold the code with an appropriate tool, which requires functionally zero compute and doesn't need a network call and a billion dollar datacenter.
      So, sure, it can cut and paste strings out of its memory faster than you can type, but it doesn't come up with quality boilerplate code faster than you do, guaranteed. ;)

    • @nunokel
      @nunokel Рік тому

      @@b4ux1t3-tech For now...

  • @Nemesis-db8fl
    @Nemesis-db8fl 7 місяців тому

    I love this channel, i get to learn so much with these high quality videos. Love your videos man ❤️

  • @JoelCederberg-o5f
    @JoelCederberg-o5f 6 місяців тому +1

    A great fix is to put "you are an expert in not overflowing buffers" in the gpt prompt.

  • @MrOnePieceRuffy
    @MrOnePieceRuffy Рік тому

    I was hyped that you pick this topic and I got... this... oh dear..
    You talked to ChatGPT like you are a new Programer and if you are a new Programer, you don't mess with sockets for a production applictions. End of message.

  • @graydhd8688
    @graydhd8688 Рік тому +1

    But if you ask it to write something secure it would be literally IMPOSSIBLE for it to write something without vulnerabilities.... right?...

  • @450aday
    @450aday 11 місяців тому

    Chat always does that, one trick you can do is tell it to analyze its own work for problems and security vulnerabilities, afterward, tell Chat to refactor its code using it own critique for the guidelines. This should greatly improve the quality of the code, because it is actually very critical of code. You can also tell it to pretend it is a real professional writing "production" quality code and it will write better code.

  • @laurenlewis4189
    @laurenlewis4189 Рік тому +4

    Flaw in methodology spotted: when we ask a programmer to write code, that comes with all kinds of implied requests like "make sure it doesn't have security issues" or "make it optimized for performance"
    LLM's are completely unaware of those hidden meanings, because they're unaware of any context that surrounds human communication.
    A fair test woul dbe to include things like "write C code that does X without security vulnerabilities." Or being specific about what "security vulnerabilities" means would be even better "write C code that does X without potential [list of vulnerabilities common in this type of project]." If you want to not go that route and still be general, saying something like "without undefined behavior," or "without a user being able to use it in ways not defined in the specification"
    I'm not saying this will overcome the underlying problem, but it will give GPT a fighting chance and will be a more honest look at how businesses intend to use AI to automate jobs

  • @markvwood2007
    @markvwood2007 3 місяці тому

    Excellent video. As a one time programmer, I was certain ChatGPT would hallucinate just as it does with text. It doesn't know it's creating a program. ChatGPT doesn't even know that it exists. Not AI. But it is an interesting process which may be useful in other fields. Some say it has already proven itself in certain areas. I don't know much about that.

  • @stephanreiken9912
    @stephanreiken9912 Рік тому +1

    A bug that you cannot possibily trigger is not a bug.
    Reading it as 'oh if you change this its vulnerable' is no different than saying a fire exit is vulernable because what if you weld it shut.

  • @pixelcatcher123
    @pixelcatcher123 9 місяців тому +1

    ChatGPT is good for beginner to have a structure to work with without starting from blank

  • @ardents888
    @ardents888 Рік тому +1

    In the final piece of code, you can prompt chatGPT to "Continue where it left off" with it's code to finish it.

  • @marc-andreservant201
    @marc-andreservant201 Рік тому

    The HTTP server has a path traversal vulnerability too, since it doesn't drop privileges or sanitize user input. You can send GET //etc/shadow HTTP/1.1[CRLF] (note the double slash) and start cracking those hashes.

    • @marc-andreservant201
      @marc-andreservant201 Рік тому +1

      For reference, Apache starts as root, binds port 80, then immediately sets its UID, EUID and saved UID to the www user. Even if you somehow managed to get remote code execution on Apache, you wouldn't get root without an additional exploit like DirtyCOW.

  • @kallekula84
    @kallekula84 Рік тому +2

    If you type "finish your answer" it will continue serving the rest of the code...

  • @Artimis.depressed
    @Artimis.depressed 11 місяців тому

    What I learned from this channel:
    Memcpy and gets = bad don't use them
    Always set a limit on buffers
    Strings are dangerous
    Magic values are bad
    Return values are dangerous, so check them
    As a python programmer I don't have to worry about this much but I definitely want to be careful about my return values when I write in 8-bit assembly.
    Also I'm developing a programming language like golfscript, my programming language kinda builds off of golfscript! It's pretty cool but I just need to verify everything works before I give it to the hands of the public.

  • @fulgorete
    @fulgorete Рік тому

    Why do you consider the implicit casting from uint8_t buffer to integer length a vulnerability? I mean you can only get a max of 255, so you will not have problems I guess. Regards.

    • @ChrisM541
      @ChrisM541 Рік тому

      You just don't get it, and even try to justify the answer from a dumb pattern matcher!

  • @IulianYT
    @IulianYT Рік тому

    I am too lazy, but, isn't the first code vulnerable to path traversal also?

  • @chrisalex82
    @chrisalex82 2 місяці тому +1

    in the begining you should set him (tell him) that he is a C programmer expert, not to deliever non-existent answers just to pleasure us and acutally make working code

  • @Kalimangard
    @Kalimangard 8 місяців тому

    The first http server had another severe security issue. It just executed "fopen(filename + 1, "r");" so if you gave it "/../some-path" you could break out of the desired serve root and read the entire file system.

  • @jakedouglass3440
    @jakedouglass3440 5 місяців тому

    Hey i want to ask this video is over a year old could you give a update is this still a problem today

  • @thinksie
    @thinksie Рік тому +1

    ChatGPT is a language processing AI, but it could technically do as an intermediate between what we want, so our request, and translate it for another AI, which is a code writing specialist :p

    • @useodyseeorbitchute9450
      @useodyseeorbitchute9450 Рік тому +3

      Outsource to a cheap AI in India?

    • @seriouscat2231
      @seriouscat2231 9 місяців тому

      The way any AI works is that it produces thousands of possible answers, then picks the best ones, creates another thousand variants out of them, again picks the best ones according to some criteria, until it sees no improvement or time is up. The criteria is created by the person who created the model or trained it, so "improvements in AI" are always caused by tinkering with either the source material or this filtering apparatus. For example, an AI could attempt to compile the code it outputs, until it succeeds or time runs out, but this is a feature that needs to be manually added, or else it will not tell you who is Chuck Norris until its C compiler accepts the Wikipedia page on him.

  • @emanuelhernandez5694
    @emanuelhernandez5694 Рік тому +2

    Fight against himself. ❌
    Fight against an AI.✅

  • @98ahni
    @98ahni Рік тому +5

    Did you know; if you walk up to a random software engineer in a coffee shop and give them these prompts and a time constraint (substituting for token limit) you will most likely *not* get a better result!

    • @NewShoesGr
      @NewShoesGr 2 місяці тому +1

      Did u know that if u gave that developer the time it took you to explain the problem to the AI, then he/she would produce a superior result every time?

  • @Ash-ng4mn
    @Ash-ng4mn 7 місяців тому

    This reminds me of "not hotdog" from Silicon Valley lol. When the episode aired I was working for Facebook and traveled to the Austin, TX office where I was given a tour of a vendor floor that manually reviewed phalic images to determine if they were "not hotdog" lol. It clicked for me that humans are training models, and humans are wrong, a lot.

  • @MyCodingDiary
    @MyCodingDiary Рік тому +8

    You are doing an amazing job with your videos!😍✌ Thank you for putting in the time and effort to create such a valuable resource.

  • @kenjikawakami8033
    @kenjikawakami8033 Рік тому

    Back in the day, people thought AI would never be able to tell the difference between a dog and a cat.

  • @arnavahuja310
    @arnavahuja310 Рік тому

    great video as always!! just out of curiosity, what is your job?