Alphabet’s DeepMind brings us AlphaCode — another AI code-generating parlor trick. And, just like its large language model cousins, it can spit out buggy code.
After looking at ChatGPT last week, it’s only fair we point out similar security problems with AlphaCode. Subtle vulnerabilities will abound in its generated code — not least because it’s been trained on vulnerable code.
As the old saying goes: Garbage in, garbage out. In this week’s Secure Software Blogwatch, we take out the trash.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Beatles vs. Motörhead.
Below-average code
What’s the craic? Matthew Hutson reports — “AI learns to write computer code in ‘stunning’ advance”:
“Outperformed 45.7% of programmers”
There’s a global shortage of programmers. Wouldn’t it be nice if anyone could explain what they want a program to do, and a computer could translate that into lines of code? … AlphaCode is bringing humanity one step closer to that vision: … Researchers say the system—from the research lab DeepMind … might one day assist experienced coders, but probably cannot replace them.
…
The previous standard-bearer in AI code writing [was] Codex, a system released in 2021 by … OpenAI [using] GPT-3, a “large language model” [trained] on more than 100 gigabytes of code from Github … The software can write code when prompted with an everyday description of what it’s supposed to do. … But it performs poorly when tasked with tricky problems. AlphaCode’s creators focused on solving those difficult problems.
…
DeepMind entered AlphaCode into online coding competitions. In contests with at least 5000 participants, the system outperformed 45.7% of programmers. [It] might have applications beyond winning competitions: … It could do software grunt work, freeing up developers to work at a higher, or more abstract level, or it could help noncoders create simple programs [or by] translating code into explanations of what it’s doing, which could benefit programmers trying to understand others’ code.
Sounds controversial. Shelly, Fan the flames — “AlphaCode Conquers Coding, Performing as Well as Humans”:
“Code is riddled with errors”
The secret to good programming might be to ignore everything we know about writing code. … AlphaCode is relatively naïve. It doesn’t have any built-in knowledge about computer code syntax or structure. Rather, it learns somewhat similarly to toddlers grasping their first language.
…
When challenged with the CodeContest—the battle rap torment of competitive programming—the AI solved about 30 percent of the problems, while beating half the human competition. The success rate may seem measly, but these are incredibly complex problems. OpenAI’s Codex, for example, managed single-digit success when faced with similar benchmarks.
…
It’s … unlikely the AI will take over programming completely, as its code is riddled with errors. But it could take over mundane tasks or offer out-of-the-box solutions that evade human programmers. … Sometimes its makes head-scratching decisions, such as generating a variable but not using it. … AlphaCode also needs computing power that few can tap into.
And more (huh) what is it good for? Davide Castelvecchi asks the natural question — “Are ChatGPT and AlphaCode going to replace programmers?”:
“Understanding the needs of humans”
In the past week or so, social-media users have been mesmerized by the ability of another chatbot, called ChatGPT, to produce … short computer programs. But these state-of-the-art AIs … are far from being able to replace human programmers.
…
Whereas ChatGPT is a general-purpose conversation engine, AlphaCode is more specialized: It was trained exclusively on how humans answered questions from software-writing contests.
…
Much of the work that goes into a large software-engineering project — say, designing a web browser — involves understanding the needs of humans who are going to use it. These are difficult to describe with the simple, machine-readable specifications that an AI can use.
So that’s a “no” then? Cynthia Cook dishes this alternative recipe — “Artificial Intelligence Will Replace Programmers”:
“A program-generating program … creating programs”
We’ve heard the trope that artificial intelligence is coming for all our jobs. I believe this is true. All of them, including developers themselves. … The possibilities are truly unimaginable and I’m excited to see where AI will take us.
…
Agile software development is all the rage. I’m a big believer in this way of development as well. It’s not going anywhere. One of the staples is well-articulated Acceptance Criteria. … If it’s clear enough for a junior developer to interpret, it’s a small step … from being interpretable by a computer program.
Test-Driven Development … is another core part of Agile: … A developer should write tests first and then the code to pass those tests. If tests are written up front, what’s to stop a program-generating program from creating programs that are passing these tests.
Okay, but that rather sounds like Then a Miracle Occurs, right? Here’s Tony Isaac:
In the real world, building solid requirements is the hardest part of building software. Often, nobody actually knows, in detail, what the requirements should be. … They have to be built, just like the code itself.
When AI can write a program that can take on TurboTax, then I'll start to worry about the robots coming for my job.
And what’s this about being worse than the median average? pifm_guy squints at the data:
Worth noting that in many programming competitions online, a large chunk of competitors either don't submit anything, or only submit a little example.
ELI5? _me explains like _we’re five:
AI competed in a programming contest and scored at the 54th percentile among human contestants? I definitely don't have to worry about my job. Programming contests are very often … simple problems that actually have a correct, optimal solution. Real-world programming rarely involves such simple stuff.
My company has run a few programming contests aimed at college students. People who compete in these contests are often impossibly bad coders. … A large number of contest submissions [don’t] not even compile. 54th percentile translates to: "Not even going to consider hiring them — throw away their resume."
It’s not like Alphabet to under-sell something. u/quantic56d sees the oint in the flyment:
Sometimes a cigar is just a cigar. In order for AI to be valuable on any advanced level it needs to understand context. It’s what human and animal intelligence relies on. Animals that don’t have contextual abilities can parrot behaviors, but that’s where it ends. … That’s where all the AI programs have hit brick walls.
…
Until that problem is solved it’s always going to be right around the corner but never actually getting there. … AI is going to do this someday. At that point though, we aren’t really creating AI — we’ve created a new life form. That is going to be an interesting day.
Meanwhile, GET OFF MY LAWN, says CaptainObvious7:
When I was a kid finishing high school in [the early] 90s, there was an article in a computer magazine about a new expert program … generating ready-to-use software. … Any day now, programmers would be replaced by programs and all there would be left is few of them working on these expert systems.
…
30+ years later … the same article with few details changed. … Waiting for my self driving car too.
And Finally:
Is it cheating to mash up a cover with the original?
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: The Jefferson R. Burdick Collection (cc:0)
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Find the best building blocks for your next app with RL's Spectra Assure Community, where you can quickly search the latest safe packages on npm, PyPI and RubyGems.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.