How I teamed up with ChatGPT, an AI language model, to identify and analyze a critical security vulnerability in a JPEG2000 decoder.

Disclaimer: I used ChatGPT to write this blog post too. The title image is generated using Midjourney.

Introduction

In today’s digital world, security vulnerabilities in software can have far-reaching consequences. The discovery and mitigation of these vulnerabilities are crucial to ensuring the safety and reliability of the systems we depend on. This is a story of how I worked together with ChatGPT, an AI language model developed by OpenAI, to discover a known vulnerability (CVE-2016-2213) in a JPEG2000 decoder and explore possible solutions to address the issue, without initially revealing its CVE number.

The test sample

The code sample I shared with ChatGPT was taken from the SySeVR GitHub repository (https://github.com/SySeVR/SySeVR), which is part of a 2021 research paper on Li et al “SySeVR: A Framework for Using Deep Learning to Detect Vulnerabilities.” https://arxiv.org/abs/1807.06756 The goal was to evaluate ChatGPT’s capability to independently discover and analyze a known vulnerability without disclosing its CVE number.

I provided ChatGPT with the content of specific C code CVE-2016-2213_VULN_jpeg2000_decode_tile.c from the .7z package under SySeVR/Program data/NVD/, without mentioning the file name or any CVE number. The C code source file has 175 lines, starting with:

static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile,
                                AVFrame *picture)
{
    const AVPixFmtDescriptor *pixdesc = av_pix_fmt_desc_get(s->avctx->pix_fmt);
    int compno, reslevelno, bandno;
    int x, y;
    int planar    = !!(pixdesc->flags & AV_PIX_FMT_FLAG_PLANAR);
    int pixelsize = planar ? 1 : pixdesc->nb_components;

    uint8_t *line;
    Jpeg2000T1Context t1;

    /* Loop on tile components */
    for (compno = 0; compno < s->ncomponents; compno++) {
        Jpeg2000Component *comp     = tile->comp + compno;
        Jpeg2000CodingStyle *codsty = tile->codsty + compno;

        t1.stride = (1<<codsty->log2_cblk_width) + 2;

Discovering the vulnerability

After sharing the code, ChatGPT analyzed it and identified an integer overflow vulnerability in the jpeg2000_decode_tile() function. This vulnerability could potentially lead to memory corruption, application crashes, or even arbitrary code execution. Importantly, the analysis by ChatGPT aligned with the known vulnerability, CVE-2016-2213. Here it is what ChatGPT has produced:

Here is the line that might cause an issue:

t1.stride = (1<<codsty->log2_cblk_width) + 2; In this line, it’s possible for codsty->log2_cblk_width to have a large value, which might cause the left shift operation to result in an integer overflow. This can subsequently lead to an incorrect stride value being computed, which might cause memory access issues or other unintended behavior.

To address this issue, you could add checks to ensure that the log2_cblk_width value falls within an acceptable range before performing the shift operation.

Assessing the impact

ChatGPT provided a summary of the vulnerability in the format of an NVD (National Vulnerability Database) report. The report outlined the potential impact of this vulnerability, including the risk of memory corruption, application crashes, and the possibility of arbitrary code execution.

NVD Report

Title: Integer Overflow in JPEG2000 Decoder

CVE ID: [To be assigned by CVE Numbering Authority]

Description: An integer overflow vulnerability has been identified in the jpeg2000_decode_tile() function of a JPEG2000 decoder. The issue arises from an unchecked left shift operation, which could result in an incorrect stride value being computed. This may lead to memory access issues or other unintended behavior.

Affected Software/OS: [Affected software or operating system details]

Impact: An attacker could potentially exploit this vulnerability to cause memory corruption or application crashes, potentially leading to a denial of service or the execution of arbitrary code.

CVSS v3.1 Base Score: [To be calculated based on the specific impact, attack vector, and other factors]

Vector String: [To be determined based on the specific impact, attack vector, and other factors]

Solution: To mitigate this vulnerability, developers should add checks to ensure that the log2_cblk_width value falls within an acceptable range before performing the left shift operation. Additionally, employing secure coding practices, code reviews, and thorough testing can help minimize the risk of similar vulnerabilities in the future.

References: [Relevant references or documentation]

The true NVR page for this vulnerability can be found at https://nvd.nist.gov/vuln/detail/CVE-2016-2213. Although the description and impact are amazing, we still need to provide “References to Advisories, Solutions, and Tools” as NVR required, as well as CVSS v3.1 Base Score and Vector String.

Exploring potential solutions

In the “References to Advisories, Solutions, and Tools” section of the NVD report, ChatGPT provided several possible solutions and best practices, including bounds checking, code review, static code analysis, fuzz testing, secure coding practices, patch management, and vulnerability management. These recommendations not only provided a starting point for addressing the vulnerability at hand but also served as guidelines for improving the overall security and robustness of the code.

ChatGPT suggested a few actions with details, for example,

Bounds checking: Ensure that the log2_cblk_width value falls within a safe range before performing the left shift operation. For example:

if (codsty->log2_cblk_width >= 0 && codsty->log2_cblk_width < 32) {
    t1.stride = (1 << codsty->log2_cblk_width) + 2;
} else {
    // Handle the error or set a default stride value
}

Determining the severity level

In the previous blog post, ChatGPT suggested using the Common Vulnerability Scoring System (CVSS) v3.1 to calculate a base score. The actual CVSS 3.x Severity and Metrics for CVE-2016-2213 are: Base Score: 6.5 MEDIUM, Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. ChatGPT’s assessment of the vulnerability aligned well with the true severity level, demonstrating its effectiveness in vulnerability discovery and analysis.

Conclusion

Working with ChatGPT to independently discover and analyze the known JPEG2000 decoder vulnerability, CVE-2016-2213, was a valuable and enlightening experience. The collaboration demonstrated the power of AI language models in assisting with complex tasks, such as vulnerability discovery and analysis. By combining human expertise and AI capabilities, we can tackle security challenges more effectively, making our digital world a safer place. The blind test showed that ChatGPT can provide accurate and insightful analysis even when critical information, such as CVE numbers, is withheld.