HeadlinesBriefing favicon HeadlinesBriefing.com

AI Finds 7 Bugs in Cloudflare Crypto Library

Hacker News •
×

An AI audit pipeline developed by zk Security has identified seven vulnerabilities in Cloudflare's CIRCL cryptography library. The bugs range from a critical precision loss in threshold RSA to an access-control break in attribute-based encryption. All seven issues have since been fixed upstream.

The AI, named zkao, is designed to continuously monitor code for bugs. In its tests against CIRCL, zkao, utilizing a configuration with expert-maintained "skills," flagged multiple potential issues. Human auditors then validated these findings, leading to the disclosure and eventual patching of the seven reported bugs. Many of these discoveries were also recognized and awarded bounties by Cloudflare.

This audit pipeline not only surfaces bugs but also provides insights into how AI models reason about complex cryptographic code. The reported vulnerabilities include a float64 precision issue affecting key share generation in threshold RSA, a DLEQ proof forgery by controlling a security parameter, and a BLS aggregate verification flaw that fails to check message distinctness, enabling rogue key attacks. The AI's initial severity assessments sometimes differed from Cloudflare's final classification, offering a unique perspective on AI-driven code analysis.