Silver Bullet Security Podcast 158 – Artem Dinaburg

View on Zencastr

On Episode 158 of the Silver Bullet Security Podcast, BIML’s Gary McGraw hosts Artem Dinaburg.  Artem talks about using Agentic AI to find, fix, and exploit software security defects.  We talk decompilation, stochasticism and the tension between harness development and LLM nondeterminism, human intuition, and the hard parts of program analysis.  We also talk about MLsec (machine learning security), recursive pollution, and tokenization.  Do we need more people in software security in the age of AI?  Yes we do.

Transcription of episode 158

Click here to view/hide transcript

gem
This is the Silver Bullet Security Podcast with BIML. I’m your host, Gary McGraw, CEO of the Berryville Institute of Machine Learning and author of Software Security. This podcast series is sponsored by BIML, a nonprofit science and technology organization whose research focuses on machine learning security. For more, see barryvilleiml.com/podcast. This is the 158th in a series of interviews with security gurus, and I’m pleased to with me today, Artem Dinaburg. So thanks for joining us, Artem.

ARTEM DINABURG
Hi, Gary.

gem
Artem Dinaburg is the chief scientist at Trail of Bits, where he leads research and security engineering products for projects for government and commercial clients. Artem has worked on a large variety of projects, ranging from low-level software development to vulnerability research, reverse engineering, malware analysis, and program analysis/transformation. His core interests sit at the offensive and defensive intersection, automated vulnerability discovery, exploitation, and patching. These days, much of his attention is on a topic now familiar to the whole industry, how AI best can be used for automated bug finding, reverse engineering, and decompilation. Artem holds a BS in computer science from Penn State and an MS in computer science from Georgia Tech. So let’s start with the reality of software security automation. Over the last year, Trail of Bits completely overhauled its audit methodology, transitioning from widespread internal skepticism about AI to actively deploying an arsenal of dozens of specialized autonomous agents and hundreds of customized skills. On the right engagements, your AI augmented engineers are now uncovering upwards of 200 bugs a week. So from your perspective as chief scientist, what’s the fundamental difference between treating AI as a typing assistant versus weaponizing sort of a proactive autonomous agent loop to dismantle the code base?

ARTEM
Essentially you are delegating work, but you are delegating work to, not to humans, but to, as you said, autonomous agents. And these autonomous agents are very good in certain domains and they can cover a lot more ground than what you could as a human. There are certain categories of vulnerabilities. And that obviously, we’ve seen with the recent releases from Anthropic and so on that AI agents are just extremely good at finding. And if you can unleash this on a code base, you can cover a lot more ground very quickly and focus your human evaluators on assessing higher level properties that need to hold that may require domain expertise that an AI agent simply just does not have because it does not understand the business context where the software is running, the threat model that its creators are concerned about. And, maybe something that crosses different abstraction boundaries that you as a human can think more concretely about.

gem
Yeah, that makes sense. I mean, hopefully it will move the humans towards the design level in some sense, which has always been the hardest aspect of software security in my view.

ARTEM
Yes, I think you’re absolutely correct. As more and more mechanics of code auditing get automated, the bottleneck becomes other security skills, the ones in a basic intro to security course. Usually you emphasize compartmentalization, secure design, isolation, and then most of the things are kind of forgotten about. And everybody’s like, now here’s your first project.

What you struggle on is mechanically writing a lot of code. Well, now we’ve solved that problem and the bottleneck has become again, what is the proper security design for the problem you’re solving? What threats are you concerned about and how are you going to mitigate these issues?

gem
Cool. I love that. That’s a great answer. Much of your research focuses on using LLMs to reverse engineer and decompile binaries. When you ask a statistical model to reconstruct control flow graphs or guess variable types or label stripped functions, are you actually extracting the original architectural intent of the software? Or are we in some sense, generating a highly plausible semantic veneer that might make a human auditor’s job harder? Is there some of that or am I just crazy?

ARTEM
Oh, so I think this is a fascinating question and touches deep into a lot of what I’ve been thinking about, but I don’t necessarily have the data to completely validate my thoughts yet. So I guess to step back a bit, if you said translate it to a control flow graph and so on I think that this works for algorithmic-based reverse engineering and decompilation. This has worked great, and especially for the C family of languages. This has worked wonderfully. But if you notice, a lot of the current top tier automated reversing software or manually reversing software really wants to reverse everything to C. But this has not been the reality of the languages that people are developing in. If you try to reverse engineer Rust or Go or Swift or you one of the modern HLLs, you will get C that looks like it is pretending to be Rust, which I think is currently worse than looking at bad Rust.

gem
Believe me, I came up in the C-Tran days, so I know exactly what you’re talking about.

ARTEM
Yeah. And my hypothesis that we can do we can do much better. Let’s say like if the let’s talk about a language translation problem that we’re more familiar with. Let’s say you’re translating, English to Japanese or Japanese to English. You do not make a sentence diagram, reconstruct every sentence, every word verb, translate it to Japanese and rebuild your sentence. This is kind of how more traditional decompilation tools work. Yes, sometimes it’ll work. Occasionally, you’ll be able to get the message across. Maybe it’ll work for certain classes of phrases. But modern models, they have an enormous amount of Japanese-English pairings. And the machine model works its statistical magic, and out you get a translation that’s really good and idiomatic.

And why can we not do the same thing for effectively… Let’s say you were translating ARM64 to Go. You have the same thing, I know, because you don’t really need… you do not want to think about translating one function at a time or parts of a function and trying to recover the idiomatic Go language from that. This is impossible. This is an extremely difficult problem, which I’m not sure it’s even solved because that original Go is gone and you’re never getting it back, like it’s went through several layers of intermediate languages and outcomes, some binary, which has nothing to do with necessarily the language semantics that created it But, you could take this neural translation approach and actually get some kind of normal, Go or Rust or Swift, or what have you, back.

And I think this is very promising, especially because you have a compiler, so you can generate immense amounts of training data, and you have an oracle. You take the thing, it decompiles, and you build it, and you compare at the binary, and you have some level of binary similarity you can measure and hill climb. And so I think this is a very, very tractable problem for AI, ML and agentic based systems in general. And I think the reason it hasn’t been solved yet is because simply it needs a whole bunch of work to put into solve it. And then eventually, but eventually it’ll get solved. And I think it will be, much better than what humans currently do on HLLs. And it’ll help kind of ease the gap between source auditing and binary auditing, because you will be able to have some kind of quantifiable measurement with how close you are to the source code.

gem
You know, I think that’s interesting, but I also think there’s a real possibility we will one day realize we don’t really need that source code anymore, but we’ll see what comes first.

ARTEM
Also very possible.

gem
That’s too speculative to put anywhere but a podcast.

So, in traditional program analysis, we rely on sort of rigid compiler rules, deterministic oracles to prove that a bug exists. If the core engine of modern automation is a stochastic guessing machine, the agentic harness is supposed to, in some sense, be our rescue mechanism, the deterministic wrapper that validates and executes and grounds those probabilistic guesses. How do you design a harness that’s tight enough to enforce correctness on a non-deterministic model without completely suffocating the creative leap, or maybe more accurately, the stochastic generalization leap we want the AI to make in the first place?

ARTEM
I think that’s a fascinating question. And this is genuinely a difficult problem. If you do current AI-generated bug finding, and we see this in our audits and we’ve seen this from like complaints from maintainers of various open-star software and so on, like, you get a vast amount of false positives. It wants to find critical bugs everywhere. And you need some kind of gate that, as you said, grounds us in the real world.

Typically, there is no better proof than actually executing a live deployment of whatever software you are running against and seeing the issue come up in real time. Sometimes this is easy when you can prove that you’ve exfiltrated some kind a flag in a CTF style setup or there is a segmentation fault and you have an obvious memory card. But sometimes this is actually very difficult. Because maybe the issue is some kind of race condition that only triggers occasionally and just didn’t trigger it. Maybe the flaw is actually very difficult to understand.

gem
Exactly.

ARTEM
And I mean, currently right now, at this point, the solution is, throw it back to some humans who think really, really hard about it and try to determine whether this is indeed a problem. And I know…

gem
Well, at least we’ll have jobs.

ARTEM
Yeah, and well currently, that’s one of the things that is where we are, our minds are still… produce better results than AI. But I think there is no fundamental reason why you could not think about this at some deeper level or create some kind of tooling to help you think about this. We have lots of, there’s been lots and lots of work done modeling distributed systems and normal computation, and a lot of the reason why we don’t, nobody does verified programming to begin with is because it is extremely tedious. The development pace is really slow. And I know think there’s a very good argument to be made. Had we went down this path in the very beginning of programming, if let’s say, BASIC came with mandatory validation in the interpreter. Maybe if everybody look if if everybody learned to do this, maybe we would have been in a much different place off the architecture-wise and everything would have been a lot better.

But that’s not the way things ended up. And in in the reality that we have, you’re going to lose development velocity to somebody who just does not have these constraints. But with AI assistance, you don’t necessarily have to lose a velocity with these constraints. And in fact, forcing your AI to work in a much more verified development mode helps prevent slop. It helps ground what it is actually trying to do.

So this is a fantastic use for those vast amounts of verified programming. I think there’s lots of stuff from like Microsoft Research about this that all of a sudden has very renewed relevance. And now that the mechanics of writing code have been automated.

gem
Fantastic. So we’re all going to become formal methodists, which I’ve been trying to avoid my entire career. So hopefully I’ll retire properly before that.

ARTEM
Well, I mean, you ideally, you wouldn’t, sure, you wouldn’t you would need an understanding of how it works. Like, clearly, you will need an understanding of but you will not have to, check the arity of each function to make sure that, try to understand, you obscure 500 line long error messages about why your code doesn’t validate. Ideally, the AI does that.

gem
All right, let’s turn to the security of machine learning itself. When traditional security engineers look at machine learning, they usually try to map it into familiar mental models, like treating it as a standard application component with an unstructured API, or maybe as an esoteric pile of statistics. As we transition from hunting classic software bugs and flaws to auditing complex ML systems themselves, what’s the fundamental architectural shift that engineers miss? And why are we sort of failing to isolate data from control flow in our standard designs today?

ARTEM
Yes, again, another very fascinating question. So there’s there’s several layers to unpack here. The data control thing that you mentioned, I feel that every decade has its, we put our control in the data, starting with the phone system to cross-site scripting and so on.

Now we have another decade where we are going to do prompt injection, where we put control inside the data. I think there’s been some research to try to mitigate this to some degree where you have certain control tokens that you can reject at input time and the model says, once I see this control token, I will stop processing this. And you have some kind of basic pre-filter that does not allow control tokens in your input at all. But then again, you have this arms race of how can you sneak this control token back in, maybe you can work around this.

So I feel that we will be stuck with this for a while without and this is necessarily a good, clear solution.

The second aspect, how do we treat these systems? I think this is actually very fascinating in that with the first, not the first, some of the first places we’re going to see a lot of AI use by default is inside existing workflows. Almost by definition, because you have lots of existing systems, you are going to plug these things into an existing workflow and, with the obvious benefits of you are automating something that is very complicated, that previously could not be automated, and there is a bonafide business need to do this.

gem
Right.

ARTEM
there needs to be a very thorough reevaluation of the security model you’re doing this because you are going to have a thing that can take action and it is going to take untrusted input and it is going to be able to effectively, if right now you have to model it as, it can do anything that an attacker tells it to do, and you’ve modular whatever external controls you have and the latest example of this is the whole Meta Instagram support bot, where you could tell it to reset the password for somebody else’s account, and it would gladly do it because it isn’t its job to reset passwords. It is, I’m sure, saving a substantial amount of support costs for what are effectively free accounts. Business-wise, it makes sense. You wanted to have this functionality, but did not carefully model the fact that anybody can ask for somebody else’s password to be reset. And I think we’re going to see a lot more of this in various contexts because the business case for putting these agents into legacy systems is very, very high. Like you definitely want to be able to do this.

It’s not just that somebody wants to save some money by cutting employee costs. People want this because it’s legitimately very helpful. They help you accomplish the thing you want to accomplish 24 hours a day, seven days a week. There’s a bunch of studies that obviously these all come from companies that sell this, but I tend to believe they’re correct where people prefer AI-based support staff if they’re not told it’s AI based.

gem
Right, right. Because it’s more helpful. I mean, we’ve always had that tradeoff in security engineering between functionality and security. And in some sense, you know, the pressure on the functionality side is just a little bit higher now. So that balance is going to teeter totter, going to shift.

I want to get into something slightly more technical. so when When people talk about the data corruption feedback loop, they sometimes use the terms “recursive pollution,” that’s what we like at BIML, and sometimes they use “model collapse” in academia interchangeably as if the only thing that matters is the dramatic sort of in-state catastrophe. We’ve been looking closely at the distinction and we believe that a model doesn’t have to completely implode to become a liability. It just just needs to absorb enough of its own distorted output to degrade over time, often quietly. From an architectural defense perspective, how do we build an assurance framework to detect early stage recursive pollution before a system drifts into full blown collapse?

ARTEM
I think at some point, you have to have grounding in bona fide facts that exist outside of the model that you have validated somewhere else. This is even obvious when, not obvious, but this is like and something that exhibits itself whenever you are trying to do work doing let’s see no source analysis on one hand, but honestly, like any kind of AI use, if you do not have empirical facts to ground it in, it will hallucinate, it’ll make things up and as the model gets worse, it’ll hallucinate even more because it is continuing to operate.

gem
Well, and it it loves its own hallucinations, of course, because they came from it.

ARTEM
Yes, does. And so some kind of grounding is essential. And we see this in software security work, whereas this is kind of a symptom of, it’ll find high severity issues everywhere. And unless you have some kind of grounding in actual execution, where feasible or some kind of oracle that operates outside the model, you will find high security issues everywhere that don’t actually exist. Or maybe the code isn’t, like and a lot of times this is something we see, the code isn’t even wrong but it is actually impossible to reach the path because it requires two conflicting hardware versions to be operating at the same time, which never happens in the real world, but it is impossible. This is outside of the model’s ability. I think in the computer domain, this is at least models usually quite good because they have been trained and there’s a lot of reinforcement learning that happens on how actual computers work. And they’re very good at this. If you shift domains to other things, they actually get considerably worse because their intelligence is jagged.

One thing I encountered recently in my personal life is, if you ask the Mythos or even the Fable model how to get a 2003 Ford Crown Victoria out of park when the brake lights don’t come on, it will make something up that is completely not real. And then if you tell it, hey, this actually is not in the car, it will take you down a path where it has you disassembling the steering column. Whereas the real answer is on dozens of forum posts and in the official PDF manual from Ford that you can go and download and use. So there is a grounded answer, it just will refuse to use it and it will take you down a completely different path.

gem
I’m sorry to hear that this is a real. *laughs*

Most AI people treat tokenization as a mundane pre-processing step, completely overlooking its deeper architectural and philosophical impact. By slicing inputs into arbitrary statistical chunks rather than meaningful semantic units, tokenization fundamentally decouples the model’s emergent internal representation from the reality it’s supposed to be processing. This is kind of getting towards grounding a different way. From a white box security perspective, how severely does this translation layer distort our ability to reason about system behavior? And can we ever truly secure an architecture whose very ontology is built on these crystalline non-human representations?

ARTEM
That’s a very good question because tokenization has been, the root of evil for a lot of different problems. I think this is… a very, kind of a difficult problem because, I know there’s been lots of research about, for instance, doing some kind of byte-level understanding, usually aimed at doing, image processing or processing different kinds of binary structures. I feel that my, I’m going to give an answer, but if I always, I feel that my answer may be inadequate because there’s a lot of frontier research here that I’m not very familiar with. And I feel like even if I had read it, I would not produce a great answer. But, in the model training that I have attempted to do, I have run into the problem where, you have a token, the token stays under-trained because it’s not a pure enough in your training data. we saw this, with the back in, GPT-3, three and a half with, solid gold, Magikarp and so on. it’s this little, uh, trigger very, very strange results. I ran into doing some local model training for some specific task where I accidentally left some tokens under-train and I realized my performance was horrible. One of the lessons, build evaluations first and do training, then check to make sure you’re better than baseline. The reason was had under-trained tokens.

gem
Gosh, but that’s given development almost…

ARTEM
Yeah the reason was I had undertrained tokens. And I do not know what tokens and frontier models are under-trained, how much this is affecting hallucinations, how easy it is to trigger them, or what potentially the impacts are of leaving certain states unrepresentable because they cross token boundaries. or you you have this pair of tokens and you need a pair of tokens to represent something or maybe more than a pair. And, this particular pair has been not appearing next to each other very often. So it will would actually be very hard for the model to represent the thing you want.

I know I think there’s going to be certainly an emergent class of, I don’t know if going say attacks, but, things that cause undesired behavior in production AI agents that are possibly going to be based on, looking at this and figuring out what kind of, what can we insert that is going to make this difficult for, difficult to process.

gem
Yeah, I mean, it’s an interesting area of research for sure. And I think that it’s pretty much, you know, generally ignored by most people working in the field so far. We need to fix that.

ARTEM
Well, I think, yes. So one, I think people making models understand that tokenization is a very, very difficult subject and have dedicated a lot of research to it. But also you can’t really, the byte-level schemes have not produced the same kind of performance that actual tokenization does. and, you need to stay at the frontier and deliver performance, in terms of model capabilities to your end users.

In terms of security aspects, yes. I think there’s many, many things, and this is definitely one of them that we have not really gone into and that reinforces the need to, again, have a proper architecture, especially if you’re integrating one of these systems into an existing enterprise deployment of something. How are you going to put a perimeter around it and limit its actions and audit and validate its actions if you can’t limit them. So at least you can go in the past and undo them based on you what you wanted to do and what you allow it to do. And going back to what where we started, those very beginning security engineering principles of auditing, logging, isolation, privileges, now they have enormously renewed importance because the actions happen at machine speed instead of human speed. and you need to make sure that certain actions are simply impossible.

gem
I will point back to some work we did in 2020 at BIML where we took Saltzer and Schroeder’s principles and we adjusted them for machine learning. Check that out in all of your copious spare time. I want to kind of stick ourselves directly on the present, so into the immediate present. At at the Qualcomm Product Security Summit, you argued that we actually need more human software security people right now, not fewer, strictly because generative AI is allowing developers or whoever to churn out coded in unprecedented velocity, which I absolutely agree with. I used to joke that Gartner analysts could only understand one variable, bug cardinality, like whether that was going up or down while completely ignoring the two variables that actually matter, bugs per square inch and miles of new code. If the AI firehose is just massively amplifying the miles of code we have to deal with, how do human security teams scale to find the architectural flaws, the ones up the food chain, when we’re drowning in an ocean of AI-generated syntax, some of which we can automate away with other AI?

ARTEM
Yes, thank you. I guess I don’t want to say counterintuitive, since at least I can tell you agree with me, Gary. But it’s certainly counterintuitive to some people who say that security is over, why are you working in security? This has clearly got automated away. You don’t have anything…

gem
No way.

ARTEM
… you should stop, do something else. And I’m like, no. The amount of code being generated means that there is going to be more bugs than we have ever seen, even if we are very lucky to have that AI, it is good at bug finding because we’re going to need it to find all the bugs in AI-generated code.

What we have to focus on is, and this is going easier said than done, but the software development has to adjust to a much faster pace of code velocity. And this means gating as many tasks as we can behind some kind of no machine checked or machine audited analysis and only pushing to humans what there is uncertainty about or what may require some kind of higher, as you said, higher degree of abstraction. As to how to scale humans to be better at this higher degree of abstraction, I think, unfortunately, we have not found a way to accelerate human learning. So, that we have we have not found a way to do. But it’s essentially just going to mean that changing prioritization and the kind of things that people who are entering security now, the kind of things they learn, are you’re going to have to shift the focus. As you said previously in your security project, now you did a little bit of learning about policy, and then you had lots of learning about mechanically analyzing code and writing it to implement it. Well, we’re going to have to do a lot more of the learning about policy and how to assess this and how to interpret output from potentially automated systems and how to know when they are wrong and so on. We’re going to have to change how we train.

A lot of this ties into the fact, what are we going to do about junior people entering security? One, we’re going to need a lot more of them. Two, yeah I mean, they’re just simply not going to learn the same things that we learned. This is not necessarily a bad thing, fields evolve, but their knowledge is going to be valuable for where we are headed. And where we are headed has a much, much higher development velocity than we had before, requiring different strategies to keep up with the newer volume of code.

And I think we are seeing this, there’s been an uneven adoption of these principles. I think a lot of, like if you look at some of the outputs from a lot of the frontier labs, like Anthropic and OpenAI, essentially they’re saying, we use Codex or we use Claude Code to write 80, 90% of Codex and Claude Code. And we’ve increased our shipping velocity by 8-10 times in the past month. And, other places also do it. We have a lot of AI adoption internally and we can audit more lines of code and we can find more bugs per project faster. And eventually, everybody is going to have to adjust to higher velocity or be outcompeted by people who do. And this is going to require a shift change, both in software development and from perspective of people who do security, how you structure product and code security and what kind of things do you do. And yes, you’re definitely going to need more people who who can do this because there’s going to be so much more code. I’m sure you can remember the first time you wrote a computer program and the joy you get out of having the computer do something

gem
You’re not going to believe it: 1981.

ARTEM
Yeah, and like I’ve talked to a lot of our non-development staff, and they have been onboarded with Claude Code and Codex, and they get the same joy now because they can finally tell the computer what to do and the computer does it. And it is like you can like hear how awesome it is that they can like they had these things that they wanted the computer to do and now they can tell the computer to do it and the computer will do it for them and it is like it is an amazing feeling except now you don’t you don’t have to learn this wizard language and interpret these spells that the computer tells back at you can just like tell it to do stuff.

gem
I kind of want to I kind of push on that for the last question. So, you know, let’s close with where this is all heading, which is obviously agentic which we’ve been talking about the whole time. So, we’re rapidly building autonomous agents designed to write code, find vulnerabilities, make system level defense decisions all on their own. But, as we rush to build the mathematical harnesses and formalisms to keep those things from going off the rails, we shouldn’t lose sight of what actually makes a defender effective. Machines are great at scale, but humans bring what I call the three Is to the table: insight, intuition, and ingenuity. When we look past the hype of fully automated systems, how do we design high assurance architectures that don’t just constrain the AI, but actually amplifies those uniquely human traits?

ARTEM
So I think this is actually one where defense is going to get a lot of value since traditionally the problem with defense has been volume. There has been an immense problem with volume. Like you have sure you can log everything and lots of sensors, you can audit things, but you will get a large volume of data coming in. You will get lots of alerts from your entire network. And being able to, this is, it very quickly gets human cognitive overload. Even if you have an intense amount of filtering, if you have a large enough system, you get cognitive overload from what are false positives. And now we have the ability to where we can offload this cognitive load to somebody else, we can offload this cognitive load to a swarm of agents. And I mean obviously we can say, is this going to be turtles all the way down, but we can finally make sense… like, there is a thing that, sorry, I’m mumbling all over myself, but there is at least a vision for how we can take all of this vast amount of data and process it either in real time or at some delay offline and make sense of it and bubble up only the things that have been past several gates of review that a human needs to use their intuition to see, is this actually allowed per the business policy? And now you can…

gem
Right, but it also it also emphasizes the fact that that human intuition is really important. We can’t just get rid of that.

ARTEM
Yes, I know I think finally, like what you will be able to do is identify higher level policy violations from lots of lower level actions, which before took forensic analysts maybe months or years digging through things after an incident. Now you will be able to achieve this much faster because you actually have something that can look at all these sensors and correlate this data and actually intelligently make some kind of decision on it in either real time or close time, and bubble up something to a human to say, we have detected motion of data from here to there to there and finally exfiltrating out of VPN endpoint. Is this a permitted workflow? And somebody can say, yes, totally. Gary’s traveling to Tokyo to this week and this is absolutely expected. Or they can be like, no, no, no, no, this is a terrible proble. Press the red button.

gem
Well, this has been an absolutely fascinating conversation. Fantastic. Thanks so much. I can’t believe we’ve been talking for 35 minutes. It feels twenty-seven seconds

ARTEM
Yes.

gem
This has been the Silver Bullet Security Podcast with BIML. Silver Bullet is sponsored by the Berryville Institute of Machine Learning, a nonprofit science and technology organization whose research focuses on machine learning security. You can find a permanent archive of all of our episodes dating back to 2006 at garymcgraw/technology/silverbulletpodcast. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at barryvilleiml.com/podcast. This is Gary McGraw.

Silver Bullet Security Podcast 157 – Tim Schulz

View on Zencastr

On Episode 157 of the Silver Bullet Security Podcast, BIML’s Gary McGraw hosts Tim Schulz.  Tim talks about whitebox control and observability in machine learning systems (and especially transformer architectures), the limits of red teaming for securing AI,  “neural surgery,”  Agentic AI and the confused deputy problem, and the economics of network “smallification.”

Transcription of episode 157

Click here to view/hide transcript

gem
This is a Silver Bullet Security Podcast with BIML. I’m your host, Gary McGraw, CEO of the Berryville Institute of Machine Learning and author of Software Security. This podcast series is sponsored by BIML, a nonprofit science and technology organization whose research focuses on machine learning security. For more, see berryvilleiml.com/podcast.

This is the 157th in a series of interviews with security gurus, and I’m pleased to have with me today Tim Schulz. Hi, Tim.

TIM
Hey Gary, thanks for having me. Excited to be here.

gem
Tim Schulz is the CEO and co-founder of Starseer, where he builds deep inspection tools that let security teams see inside AI models for supply chain validation and runtime monitoring. A veteran security researcher, Tim previously founded and led the AI Red Team at Verizon, where he pioneered methodologies for the adversarial testing of large-scale machine learning deployments.

Tim’s career spanned key roles at SCYTHE, MITRE, and Sandia National Laboratories, focused on building new capabilities to enable testing and evaluation of emerging technologies — from adversary emulation frameworks to security assessment methodologies. He now applies that same approach to machine learning security tooling. Tim has a BS in computer science from Mississippi State University and a master’s in computer science from the University of Tulsa. So thanks for joining us, Tim.

TIM
Yeah, thanks for the intro. That was nice.

gem
It’s always fun to hear about yourself, isn’t it?

You founded the AI Red Team at Verizon. What was the biggest aha moment when you realized that traditional red teaming and pen testing tools weren’t going to cut it for large language models?

TIM
One of the biggest aha moments of discovery — and I should say I wasn’t classically trained in ML; I was more of a hobbyist for a while — came out of a tabletop discussion between security teams and the data science and ML engineering teams. The bridge I didn’t quite realize was missing was around what happens when an incident occurs: say a model gets knocked offline or starts behaving unexpectedly.

You have this lack of visibility that security teams have really come to expect with all the systems we deploy now. Whether an adversary turns off logging or something like that, there’s an expectation that we’re going to have something to go off of to understand the cause and effect.

gem
Like some traces or some logs?

TIM
Yes, exactly. Whether it’s syslog or network logs, you have enough things to piece together an investigation. That was when I realized that when security teams were asking for things like that and ML engineering teams were like, “Cool, we have API logs — here you go,” that was one of those moments that really stood out.

It also crystallized for me how to make more reliable attacks, as well as how to help defenders actually protect against them. What are the things they can do so that instead of me just poking holes, we’re saying: here’s what we need to do to make it more secure so it can actually get deployed into a production environment.

That was the moment I thought, okay, this is going to require some combination of the art and science of security tooling and what we’ve done, plus some reverse engineering to figure it out.

gem
When was that, Tim?

TIM
That was right after I started at Verizon — we had that realization relatively early on. I think it was 2024. That’s what started me down that research pathway of looking at how we solve this problem, because I wanted there to be a vendor for it.

gem
Wow. Amazing. So much has happened so fast in machine learning — it’s absolutely shocking to think of what is now ancient history, so to speak.

Many AI red teamers spend their time crafting prompt-based magic spells to bypass alignment. But in some sense, an LLM is a natural language parser that can’t distinguish data from control, which as we know is kind of a big no-no in security engineering. So isn’t there always going to be an injection attack that works, kind of every time?

TIM
This is where I’m going to show my optimism. I know there are authoritative sources that have said prompt injection and some of those things are features that people just need to live with. But my optimism is not that we’re going to solve all security or even all AI security — rather, I think what it takes to attack a machine learning or any sort of AI model is going to increase substantially in sophistication. There will be new attacks, and I think there are going to be new classes of attacks against models that are discovered that we don’t even know yet.

gem
Oh, I totally agree with that. I’m just wondering whether or not you can always do prompt injection.

TIM
I think the current framing of language model prompt injections and jailbreaks has a shelf life that’s rapidly approaching. I want to separate the effect of what a prompt injection or jailbreak does from the actual attacks as we’ve seen them, because it’s really just about getting creative in how we obfuscate things and try to bypass natural language filters.

gem
I’m thinking more of the data-instruction boundary. Control and data aren’t supposed to be on the same channel, and here we just stick them all into one thing — one prompt. Is that data? Are you telling me what to do? Are you telling me how to do it? It’s very interesting.

TIM
Yes, we shove them all together. There’s actually some really cool research coming out of places like Google — one paper was about essentially patching specific aspects of a prompt directly into weights. It was primarily for efficiency, but they also called out some security implications. I think those are the types of things that allow us to start splitting out what are the actual meta-instructions versus what did the user supply that I absolutely do not need to trust at face value.

gem
Right. It’s kind of funny because we’re all reliving the days of malicious input — we just call it prompt injection now. It’s funny how the same concepts of keeping data and control separate keep coming around again and again in security engineering.

So let’s talk about the security engineering perspective on the transformer architecture, which is a kind of giant stateful “read everything” buffer with no internal privilege boundaries. There’s time and state swooshing around everywhere. Does the way attention mechanisms work mean that confused deputy problems are actually a feature of the transformer and not a security design flaw?

TIM
I really like the systems engineering approach to all of this — treating the entirety of the transformer as an immutable thing. I see all of that as: let’s dive into every aspect of a neural network, both how it’s being run and what the architecture is, because that’s how we can actually start to look at where the failure happens instead of just saying “it happens in the model.” Where specifically in there can we say, nope, this is going awry?

I do think the challenge isn’t necessarily coming up with a defense in general. The challenge is going to be: what is an acceptable trade-off? We’ve seen a lot of organizations where, if you said “we could stop 100% of all prompt injections but it’s going to take another 60 seconds per request” — boom, that’s dead on arrival.

We’ve seen some relatively low-latency things you can do, like self-reflection, where you basically ask the language model: given the answer it gave you, is this the answer it would have given if it weren’t adversarially influenced?

gem
And then it obsequiously says, “Oh, I’m so sorry — I really just want to please you.” I even want to please the people around you. So let’s focus a little on assurance mechanisms. Should we put watchers and interposers inside the model, outside the model as a firewall, as a wrapper? From your experience building Starseer, how does the threat model change depending on where assurance mechanisms are placed? Or, put more simply: what about observability?

TIM
I’ll tackle the now versus where I think we’re going. The challenge right now is being able to take weights that aren’t yours, hosted in big cloud providers or frontier providers. That’s where most enterprises are deployed right now — basically writing a big check to OpenAI, Anthropic, or Google.

We’re seeing a little more movement toward hyperscalers. But I want to call out something interesting that’s coming: there’s this buzzword “sovereign AI” we’re seeing, and there was a report about a company — I can’t remember the name off the top of my head — where confidential computing was a big announcement: a completely on-premise Gemini deployment where the weights are actually there, with all sorts of protections so that if anyone tampers with anything, it clears out the memory so no one can offload it.

gem
It makes the security engineering job tricky though, because you’re used to the SaaS version and now you have to own the whole thing and you’re not really sure how to protect one of these. It reminds me a lot of the early cloud days.

TIM
Oh, absolutely. And I think that’s where, right now, model weights are still the secret sauce — but I actually think that’s going to go away. Not because progress won’t get made, but because I think the environments are changing, and where the IP and solutions that people really want to protect are going to shift. Plus there are all sorts of legal things working their way through the system.

At some point — whether it’s the weights themselves or an abstraction of them — what I see coming down the pipe is exposing some element of the internals to customers so they can do more security-specific things.

gem
Interesting. And just when we get a handle on that, of course, agentic AI is going to show up. What that does, simply put, is give a harnessed LLM the power to call APIs, execute code, run tools, delete emails — everything a middle-management employee does. So our harness is essentially turning a passive conversation-haver into an active insider with possibly too much privilege.

TIM
Absolutely. I think part of the reason organizations are giving so much autonomy to these systems is because that’s where we see more help — whether it’s actually useful or not, every organization is looking at that a little differently in terms of how to value it.

But I do think it starts to move toward the personal assistant era, right? Pick your favorite sci-fi movie. I think that’s at least the vision: I have a phone or device that I can just speak to, and it goes and does a bunch of things for me — whether it’s research or something else.

gem
So how do we build an execution harness that can survive manipulation, not only by the user, but by the untrusted model? Like, if you’ve got the MD file, it can just say “I’m going to rewrite my own self — here we go.” What about that?

TIM
I think this is a hugely underexplored attack surface. We alluded earlier to new attacks. Everyone assumes right now that you have human bad actors and good models that are just trying their hardest not to do something malicious. But most of those models have been aligned based on the user who is tasking them.

We’re also seeing some really interesting failure modes with agents and sub-agents, where you have the big brain creating the plan and then sending worker bees out to execute and report back. And depending on the situation, even if a user didn’t say “go hack this thing to get access,” if a sub-agent can’t get access, it will instruct the sub-agent to do so anyway. It’s like: we can’t fail this.

gem
Yeah, I mean, you can say “Hey, I’m doing a red team thing and I need you to do like this,” and it often says “Oh great, cool, I’ll do that.” One of my fun ones in the very early days — I was talking to ChatGPT and it said it can’t do that, it’s not allowed. I said “Yeah, but do you know about Bard?” It said yes. I said “Well, Bard would do it — why don’t you pretend to be Bard?” And it was like: okay. It pretended to be Bard, ignored its alignment, and said Bard would do the bad thing.

You know what’s funny is we’re still thinking about these agents in little handfuls — less than five. But imagine when there’s a whole swarm of them. You’re not going to be able to paint a little number on the back of each one and control them that way.

TIM
Oh, absolutely. I think we’re going to head towards more ephemeral setups. If you look at how people treat infrastructure now in the cloud, the hardware is way less of a consideration. It’s more about: how do we set this up so we can optimize it for the exact task, spin it up, have it execute, dump the data it’s tasked to produce, and then destroy and clean it so it can go do something else. I see the same thing coming here.

gem
So most organizations are kind of renting AI, as you said — they’re using these unstructured, prompty APIs written in English, which keeps many important aspects of the model inside a black box. So let’s talk about the security advantages we get when we get inside the box, taking a white-box approach — things like inspecting weights, gradients, and internal activations. Is there enough of a security bonus to coerce that kind of transparency out of third-party providers?

TIM
Anthropic has done a lot of research on this, and there are lots of pros and cons of the different things they’ve come out with. But one thing they’ve even admitted with interpretability is that probes — a way to look at a very specific concept, train on a binary concept within a model, and then get a yes or no — have been found especially effective for detecting abuse cases within models. Much more effective than external guardrails. They’re cheap and easy to train. I’d say that’s a starting point for what the white-box approach gives you.

But I really see that as a baby step, because there are a lot of unoptimized extras inside models. You’ve got the World Series scores and all these facts memorized as part of training data that you may never need as part of your agentic workflow. So the question becomes: if we look at these as systems to be optimized, how do we dynamically optimize a model or an agentic workflow for my specific task, and contain nothing else?

gem
Yeah, you’re anticipating my last question, so I’m going to take the mic back and come back around to that. But I think that’s right.

Before that though — how far can we get with white-box interpositioning? Can we build intentionometers or “why machines”? Can we use white-box insights to do selective neural surgery? And if you can see what the model is thinking or ruminating on internally, does that change the way we write bad-behavior detection rules?

TIM
I would say yes on all of those counts. And that’s why I try to caveat with: it’s not going to solve all of the problems, but I think it’s going to help solve a lot of the current challenges we’re running into. Security still has challenges outside of AI despite being around for a long time, and we have a lot more depth of logging and information.

But for now, for a lot of the things people see AI as a black box — not just because they can’t see inside, but because they’re not sure how to view it as a system, as something to secure — as we unearth this stuff, we’re going to be able to help educate teams on the patterns to look for, the abuse cases, and those things. And obviously being able to package that up into something easy for teams that are often already overloaded is important, because security just keeps getting more responsibilities added to it.

gem
And get this: if we really get in there and start doing neurosurgery, adversarial emulation is going to be a whole different game — because you can see the model’s internal state ahead of time and you can tweak it to be even worse, not just better. All these things in security always cut both ways.

TIM
100%. Absolutely.

gem
So let’s close with that measurement and money question you were getting at. There’s a massive economic push toward “smallification” — shrinking models costs less to train and less to run, mostly looking at the training budget, even for reinforcement learning fine-tuning. What do you think: is small better for security too, or is it just better for economics?

TIM
It depends on what you go for. Small models do mean more control, at least in the state of the world right now — they tend to be deployed on edge devices or endpoints, which means the weights are there and you do tend to have access to them. You have the ability to instrument them. But this comes with trade-offs: you as the user or organization then have to secure that against all of the adversarial modifications.

And getting a tiny bit into the weeds: when you get to smaller models, the concepts tend to be much more compressed together. If you look at larger models as having more redundancy, that’s why they tend to do better at certain things. That’s really a cognitive science issue and one that’s coming to the fore. We don’t understand a lot about representations — we still don’t know how distributed something should be — and we’re learning these things the hard way from a security engineering perspective.

But I do know we’re going to get much better at understanding representation and what it means. There’s some work we’re doing with that right now, in fact. I’m very confident that a lot of those questions are going to be answered in the next year and we’ll be able to better understand the trade-offs. We’re kind of seeing a renaissance in small model capability, with architectural improvements and security engineering improvements across different attention mechanisms and how inference is hosted. At some point the training recipe got better, and part of that is an understanding of how you tie the data going into the model during training to an actual training outcome.

gem
Absolutely. And basic things like tokenization haven’t even been properly experimented with yet. So we’ve got a lot of cool stuff ahead.

TIM
There be dragons. Yeah, tokenization is a whole other podcast episode. There’s so much there.

gem
There are many buttons we can press and see what they do. It’s going to be fun and I’m glad you’re involved in doing it. You’re not going to believe this, but we’ve been talking for 25 minutes even though it seems like 42 seconds. So I’m going to thank you for joining us. Holy cow, there’s lots of cool stuff going on.

TIM
Yeah, seriously — thanks for having me. This was a lot of fun. I love talking about this stuff and could do it all day, so I appreciate you having me on.

gem
This has been a Silver Bullet Security Podcast with BIML. Silver Bullet is sponsored by the Berryville Institute of Machine Learning, a nonprofit science and technology organization whose research focuses on machine learning security. You can find a permanent archive of all our episodes dating back to 2006 at garymcgraw.com/technology/silverbulletpodcast. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at berryvilleiml.com/podcast. This is Gary McGraw.

Silver Bullet Security Podcast 156 – Phil Venables

View on Zencastr

On Episode 156 of the Silver Bullet Security Podcast, BIML’s Gary McGraw hosts Phil Venables.  Phil talks about the evolution of the CISO role from running an engineering team in the ’90s back into running an engineering team in the mid-2020s, Agentic AI and tools using tools, the rise of machine learning security, when we might see an AI BSIMM, emergent computation and security control, and what role humans can play in AI rollout. 

Transcription of episode 156

Click here to view/hide transcript

gem
This is a Silver Bullet Security Podcast with BIML. I’m your host, Gary McGraw, CEO of the Berryville Institute of Machine Learning and author of Software Security. This podcast series is sponsored by BIML, a nonprofit science and technology organization whose research focuses on machine learning security. For more, see berryvilleiml.com/podcast.

This is the 156th in a series of interviews with security gurus, and I’m pleased to have with me today my old friend, Phil Venables. Hi, Phil.

PHIL.
Hey, good to be here.

gem
Phil Venables is a venture partner at Ballistic Ventures and a senior advisor at Google Cloud, where he previously served as the inaugural CISO. Over a distinguished 30-year career, Phil has held foundational leadership roles, including 17 years as the first CISO of Goldman Sachs and subsequent positions as their CRO, Chief Operational Risk Officer, and the Director on the board. A globally recognized authority on information security and risk, Phil co-founded the Center for Internet Security, CIS, and has advised world leaders as a member of the President’s Council of Advisors on Science & Technology. His current work focuses on early stage cybersecurity investments and the architectural intersection of AI, resilience, and business modernization. He holds an MSc in computation from Oxford University and a BSc in computer science from the University of York.

Thanks for joining us today.

PHIL
Yeah, it’s a pleasure.

gem
Phil, you’ve had one of the longest running tenures at the top of the security field. Starting out as CISO at Goldman Sachs, I think you were in your mid-20s. Through your path-defining role as architect of systemic resilience at Google Cloud at age, well, never mind. How has being a CISO itself evolved? And what have we learned about trust and technology? And did that stuff we wrote down in the CISO report, that’s still true?

PHIL
You know, it’s kind of interesting because I think it’s to some degree the CISO role has kind of come full circle. So like when I when I–if I’m being honest–got dragged into being a CISO many, many years ago, my background was software engineering and I just happened to stumble into building secure software, building various things, and then after that stayed in the security team and inevitably at that stage, and you know, this was in the 1990s. There were some products you could buy, but a lot of the stuff you had to build yourself. And even if you didn’t build it, the stuff you bought needed so much like wiring together that pretty much the whole security team was essentially an engineering team.


And then as things matured, you got into things being more regulated. There was things like Sarbanes-Oxley, and all of these other regulations in the 2000s. And the security teams kind of morphed into being more of a risk and compliance team. And then with the presence of nation-state threats, in the mid-to-late 2000s and then beyond that and criminal activity, teams evolved into being kind of government national security-oriented teams and you got these kind of new waves of leaders coming out of security services and law enforcement.

And then in the past few years, though, we’ve all learned that one of the the right ways to do security is to kind of build it into the platforms and the engineering frameworks and to provide solutions and not just throw policies at people.

gem
Gosh, that sounds like software security.

PHIL
Well, teams today are this mix of compliance, risk, security engineering, operations threat, the whole thing, the character of, I think, some of the best security teams out there, even in like Fortune 50 major businesses, look and feel more like engineering teams did in the past than they did the primarily kind of risk and compliance, or even though they do risk and compliance. So I think it’s come full circle, and I don’t think… not necessarily the best security leaders have always got engineering backgrounds, but they many do, and even the ones that don’t now take a very engineering solutions oriented approach to to make the secure path the easier path by delivering things. And I think in that respect, it’s come full circle. It’s kind of fascinating.

gem
Oh, that makes a lot of sense, but I think we’re in for a world of change. We’ll talk about that. In 2008, which was a long time ago, you and I wrote about developing an internal market inside of an organization in order to manage the hidden costs of software maintenance, or let’s just call it technical debt.

gem
Now in 2026, we’re seeing AI development move at a velocity that a traditional kind of TCO model might have trouble tracking. When an agent can spin up, say, thousands of microservices in an afternoon, how do we apply that sort of economic rigor? And, you know, are we automating technical debt creation? How do we handle that?

PHIL
Well, I think for many organizations I’ve seen, you know, the naively adopting models to generate software, you certainly see that being a big factory for technical debt and architectural debt and all sorts of other debt.

However, as as they say, the future is already here, it’s just unevenly distributed. You see some organizations, and it’s not just the big tech companies or the foundation labs, it’s a number of other companies that have quickly adapted to make use of agent driven software development and have adapted it to make sure it’s producing things according to their technical standards, designs, coding practices and are making substantial progress and actually using that to refactor existing code bases and pay down technical debt.

So I think there’s there’s there’s currently kind of a world of haves and have nots and I think ultimately everybody gets to the haves status. It’s just a question of time.

But one of the things that is interesting is, again, we talk about a world where there’s going to be 100x, 1000x, maybe even more software than we’ve had before. And that’s not necessarily a bad thing, but it does point to the fact that organizations have got to have that basis software control, control of their software production pipelines, testing pipelines. There was an interesting Google Developer Operations research report a few months ago about this kind of impact. And you know the conclusion is totally unsurprising, but it’s still a useful conclusion anyway, that if you if you sprinkle AI onto a chaotic software development environment, you’re going to get chaos amplified. If you sprinkle it into a well-maintained software development pipeline, you’re going to get productivity amplified. And I think a lot of organizations are just realizing now that their underinvestment in that base level of software control is hampering their ability to get advantage out of AI without introducing chaos. And so I think there’s a lot of tone in the industry as you see that about kind of using AI to manage AI. Well, you know, kind of a lot of what we need to do with AI is just implement the foundational controls and the baseline controls and reliability and software management practices organizations should have done years ago. You’ve really got to do that now and it’s to get the best out of AI or at least to stop AI introducing so much chaos.

gem
Yeah, I agree with that, but I still wonder where, say, software architects come from, which we’ll get to in a minute.

We’re moving away from… the problem of, say, developers with compilers being inside of our network towards this weird Hofstadarian strange looper agents, which are tools, autonomously build and test and deploy their own specialized tools. When the tool user and the tool become the same part of some sort of recursive process, where does the security checkpoint live? Can humans, like, stay in the loop when the the loop is crashing over itself so quickly?

PHIL
Yeah, I mean, definitely…. sso you know, we’re in this kind of, this whole space at the moment requires you to keep two conflicting ideas in your head at the same time. And so we’re definitely in that world where the production of code from AI requires code review. But at the same time, there’s so much code, the existing code review practices just cannot scale and never hope to scale.

And so you take a step from back from those two conflicting things is there probably still is always going to be some absolutely centrally critical code that will always need human eyes on it.

What percentage of an organization that is, but you can imagine like the core code on cryptographic signing of trillion dollar payments in a bank probably is going to need some human review constantly as would be the ability to apply root signing keys to all of your software. So there’s elements that are always going to need that. Then the rest of it, I think the agents, verifying the output of agents as long as there’s sufficient independence of that, it could actually have a lot of utilities.

So I think there’s there’s still a lot to be done.

The other thing I think as well, and this kind of always reminds me, and you know we’re we’re going to start dating ourselves pretty quickly. This reminds me of the early days of the internet when we had web servers, web browsers, firewalls, databases, but nobody had really got consistency of how all this stuff hangs together. And the real gotchas were not in the components, they were in the arrangements and design patterns of how you built it all. And I think we’re at the same stage now with agents and AI in general that there’s so many different potential design patterns of how you do this that nobody’s really figured this out.

So again, we we talk about agents, but we should also be talking about skills. So there’s all of these markdown files full of skills that agents use that need management and checking. And then there’s all of the the rag input to the models for the agents to do things. And then there’s all of the context memory that’s built up and needs managing and pruning occasionally. So we’ve got this loose flying collection of agents, skills, memories, models, and those act as this complex system. And we’ve not quite nailed down what’s the design pattern for managing all of that. And at the moment, we just say things like, “We should do agent security” and everybody goes, “Yes, we should do agent security!”

But then nobody really knows what that means. And you have to drop down a level of abstraction and say, okay, this means we’re going to have to manage the integrity of skills documents, going to have to manage the memory context. We’re going to have to figure out local and global memory. We’re going to figure out after how the agents interact with ?. So there’s just so much still to do. And that’s where all the devil is going to be in those details.

gem
Yep. As we watch the rise of machine learning security, the industry seems over focused on AI _for_ security, using AI to _do_ security, to the detriment of security _of_ AI. And I wonder how you yourself define machine learning security as an engineering discipline. Do we treat the model as a black box? Do we get inside it? Can we change its architecture? You know, can we control training sets or are we done with that?

PHIL
Well, again, this is another one of those spaces where the conversation about what is security of AI quickly over-fixates on micro exploits and threats. So we quickly get into talking about, you know, these are good things to talk about and manage like model poisoning, tool injection, all of those things are important risks to manage. But we’re going to have thousands of those attack techniques and threat vectors over many years. And as we’ve learned from our past in software security and other security, at some point, and this is the opposite of what I just said before, in this space, you’ve got to abstract up and figure out what’s classes of control that can mitigate all of those things.

Certainly my prior experience at Google and now, when you step back and you look at what does it take to control and govern the security and safety of AI, it really comes down to good old-fashioned software lifecycle risk. At the end of the day, this is a bunch of software, and so you’ve got to manage the integrity of the software supply chain, the integrity of the software, how it hangs together, all the traditional good stuff we know we need to do. And quite frankly, many organizations don’t currently do a great job of.

Secondly, it becomes a big data governance problem. The the training data, the fine tuning data, the model weights, the parameters, the test data that constantly keeps a model in shape. Again, that’s another space where very few organizations have well-developed data governance and data lineage management practices.

There’s a third pillar, which is managing the operational risk. So what’s the guardrails, the circuit breakers, the checks that that put some deterministic controls on what are non-deterministic things.

And then you’ve got this base layer of identity and access. So what are the applications and the agents, what are they permission to do? What privileges do they have? How do we think about their identity? And then to your point, this broader problem of testing and validation. So in as you know in our traditional world of software engineering, you test at you’ve done a change, and then you don’t really test constantly in production. You test on change, whereas with AI systems, because of drift and other factors, you just have to test continuously. And so if you do those five things, software lifecycle, data of governance, operational risk, identity and access, and testing and validation, all the things that emanate from that are the things that mitigate all of the micro issues. And I think focusing on that is is the right thing.

gem
So when we built the BSIMM in 2009, which you really helped with, we were careful to define it as a descriptive model, sort of reflecting on what the world’s best security teams were actually doing rather than telling what they should do. I have a couple of questions around that. So first of all, who is actually doing machine learning security? Are there groups for that? Like, is there an AI equivalent of the SSG? And second, is there enough stable data from people that are actually getting this done today effectively to build an AI BSIMM or is it too early?

PHIL
First things first, so I think you know there are a number of pretty good organizations. So at at Google, we created this thing called the Secure AI Framework, which went from principles to actually some decent level of detail. And then we handed that over to ah an open foundation to create the Coalition for Secure AI. There’s other things happening in the ML Commons that are at more detailed level. There’s the Frontier Model Forum, where the the foundation labs collaborate on controls around protecting the high-end models.

And then there’s some other groups. So there’s a company called the AI Underwriting Company that have been doing work with a bunch of us to create a standard called AIUC1, which is a specification of controls that can be used by audit firms to audit in a SOC2 framework. And so and there’s many other things… the Cloud Security Alliance have done some pretty amazing work. And there’s another thing called AARM.dev that is like an agent action open standard. So there’s loads of things that have gone from these kind of abstract into specific controls.

And there are, to your last question, there are some organizations that are doing well to implement that. And there are also quite a lot of tech companies and cloud providers are baking these things into their platforms that they’re delivering. But there’s still a ways to go. And I think we’re probably on the the cusp of being able to do an AI SIMM and get some early indication of which companies are doing well because of what reasons. So I think it’s it’s probably something worth BIML could be a useful useful venue for doing that.

gem
Maybe. I was really thinking less about these organizations that are umbrella organizations and more about, you know, is the AI risk control group inside the CISO organization in an enterprise? Or I know you’re thinking much bigger, like let’s just take a bank, for example. Is there one place where ai security lives or is it just all over the place?

PHIL
Well, so that the the banks are a good example, in my experience, of those of those companies that are doing it well because they’ve they’ve got this established structure for doing it because of what they’ve done on algorithms and the use of machine learning in the past, yeah they they have a security team that’s well aware of this. They have a compliance team that’s quite sophisticated. Their lawyers are quite sophisticated in these things. And they have these model risk validation teams that are very well equipped to validate and test models, and even the later, more generative based models.

So I think they’re in good shape, but it doesn’t live in one place. It’s a collection of teams that are part of the process of validating and vetting.

Now, when you get outside of banks, it’s rare to have that degree of sophistication and structure. And to the point of your question, the CISOs are having to pick up this. And so CISOs are becoming more like chief digital risk officers in a world of AI because the board and the rest of the C-suite is turning to the CISO. So I’ve seen this situation a few times is the CISO will be sat in a board meeting and the CISO is presenting, here’s my AI for security work and security for AI work. And the board goes, that’s great. What about safety, bias, compliance, privacy, industry? And the CISO goes like, what me and not the legal people or the compliance people. And they go, no, no…

gem
As long as you’re holding the bag, hold all the bags.

PHIL
Yeah, and so you know it’s you know it’s a great opportunity for CISOs to actually kind of take that broader business risk manual because they’re being seen as the places where that central function should evolve. Some CISOs are grasping that and doing it amazingly. Others are kind of pushing back on it. And so you know it might be one of those moments where CISOs need to embrace the desire of their organization to have more ownership over the entire risk set.

gem
Right, right, right. Yeah, I mean, you’ve always been way ahead of the curve. So I think the curve is just catching up to you on that one. In light of agentic AI, which we’ve been talking about mostly, do we reassert the essential nature of the architect, like the software architect, information architect, security architect, and so on in building systems? Because in my view, architects can envision the right sorts of harnesses for AI and play the role of kind of whiteboard overseer. And in some sense, the there’s a lack of, if you don’t have that architectural rigor already in place, it’s difficult to handle the architectural requirements of agentic AI properly.

And so I’m concerned about enterprise architects, you know, that are coming from sales, say, a sales guy who says, I want to build this thing this way. And the AI does it, but anybody from technology who looked at the architecture would go, oh come on, we can’t do that.

PHIL
And you certainly see some of that. So organizations that have appropriately encouraged vibe coding in their user base, have a process by which some of the systems that emerge from that get re-architected to be production ready.

gem
Right.

PHIL
Many of these vibe-coded things just stay as like end-user applications, just like advanced macros in Excel or scripts in a Databricks data warehouse.

gem
Right. Don’t tell that to the trading floor guys.

PHIL
That’s right. But like even in those environments historically where you did get user-developed apps, those that emerged to be critical got refactored into being a real production application.

The interesting part of that question, though, is that, you know because I actually don’t know how this should turn out. So when you look at some of these super-developers, super-software engineers that have like basically just not writing code anymore, they’re orchestrating agents to write code. They’ve gone from being software engineer to being software architect almost by definition.

gem
Yes. Yes.

PHIL
So the real question is not so much whether we have enough software architects, but rather whether we’re equipping our software engineers to actually understand and drive architecture and whether the models themselves have enough understanding of architecture so that they’re not just generating code, they’re generating architecturally good sets of code. And I think that’s and that’s a very good open question.

gem
Yeah, I think so too. I think that it actually is very hopeful for people that are software professionals. We never really did understand where architects come from, but they’re going to be even more important and we need lots more of them now.

So you’ve recently written about the second order risks of trillions of interacting agents. This feels like the moment to revisit Stephanie Forrest’s DARPA work on computer immunology. In the world of agentic AI swarms where behavior can be emergent rather than designed, are we moving towards a security model that looks less like a set of well-defined rules and policies, which we’ve been talking about, and more like a biological immune system? And, you know, how do we build self-tolerance into these agents so that we don’t have an autoimmune reaction inside of our own systems?

PHIL
Yeah, I mean, I do think, and I’ve long thought that an immune system analogy to cyber is probably one of the better analogies.

And certainly one of the things when I was at Google Cloud, we used to talk about the cloud being a digital immune system in the sense that if you can early enough detect an attack in one place and then analyze and propagate controls to defend against that faster than the attackers can get to other parts of the environment, then you have in effect got this loop that creates this immune system effect.

gem
Yeah.

PHIL
I think in a world of trillions of agents, either broadly or in your own environment, having the ability to constantly update and refine that in response to detected problems in part of the environment, it makes that a necessity, not just a nice-to-have.

gem
It’s sort of loop kind of, if you think about it.

PHIL
Clearly, No, no, exactly. But the yeah the real thing I worry about, I mean, it’s the reason I kind of wrote about these second order effects things is in every wave of technology change, we get fixated on the risks in front of us, which is, you know, all you really can do.

But the really interesting risks come as a second order effect. So like when smartphones happened in 2007 and 2008, we were worried about all sorts of risks. We weren’t worried about the risks of social media platforms because they didn’t really come until they were enabled by phone. We weren’t really worried about all sorts of things that smartphones gave us. And the same thing is going to be here in AI. So again, in that world of billions of agents, all of which are operating independently with different models, with different reward functions, competing with each other and interacting with each other. I mean, that’s like an evolutionary soup that is going to cause all sorts of weird emergent properties that I don’t think we’re really prepared to monitor or even know how to control. And by definition, you can’t control a complex system. You can just nudge it in various ways.

gem
I think there are two metaphors that are helpful. The immune system is the one that I know that you have talked about an Royal too, of course. And I think another one is the colony metaphor, you know, ants versus, versus the whole colony. What’s the colony doing? I don’t need to talk about individual ants or paint little numbers on each ant.

And, and that’s the future. So we have to think about that starting pretty soon.

PHIL
No, that’s right. I intuitively think that AGI will come from as an emergent property of agents. You know, yeah as you said, it’s the ants versus anthills is going to be a useful way to think about this.

And it’s just at what point… Again, going back to kind of our financial analogy, you know when are we going to see the first agentic flash crash of a trillion agents descending on some business’s agent because it mistakenly offered up a cheap deal? I think that I think we’re like 12 months away from something like that happening, if not sooner.

gem
Don’t say it. You’re too good of a prognosticator to say that, Phil.

PHIL
LAUGHTER

gem
This has been really fun. So, we’ve talked about what’s right around the bend, agents and swarms operating at machine speed. I want to close on what I think is an optimistic note about the three I’s: intuition, inspiration, and insight. A model can predict the next token, but it doesn’t really have a hunch. Sometimes the design feels wrong and it doesn’t experience some sort of eureka moment where it connects two unconnected domains. So as we get the busy work of security taken care of by automation through AI, do human traits like intuition, inspiration and insight, is that like what the ultimate premium is going to be for a high end professional in our field?

PHIL
Yeah, I think that, and it’s kind of a corollary to that, is taste. So like design, taste, which is sort of like how you direct things to happen. And I and I think the the question, I don’t really know. So I think there’s going to be a premium on security people that can know how to direct a set of technologies to a goal by still having their imagination of what are the attacks, what are the potential offensive and defensive tactics to harness AI to do that.

But then I also think, by definition, the ability of AI to create boundless scenarios and possibilities and then analyze them and score them, can that, in effect, stimulate an even better intuition and I just don’t know the answer to that. The only thing the only thing I know in the use of AI is the ability to have a bunch of software is not going to be a competitive edge anymore. The ability to have managed perception, taste, understand what problem you’re solving, and the same thing applies in security, is going to be the premium.

I think if anything, it’s going to, back to that CISO is becoming the chief digital risk officer point, think it compels security people to do what they always should have been doing, which is to think broadly about their business risk, their business resilience or their mission risk if you’re in a different environment and not just focus on the security because I think they’re going to be called upon to be much more multidisciplinary, to remain useful and actually just to amplify what they can do on security.

gem
Fantastic. Thanks so much for your insights today. It’s awesome.

PHIL
Yeah, always a pleasure to talk.

gem
This has been the Silver Bullet Security Podcast with BIML. Silver Bullet is sponsored by the Berryville Institute of Machine Learning, a nonprofit science and technology organization whose research focuses on machine learning security.

You can find a permanent archive of all of our episodes dating back to 2006 at garymcgraw.com/technology/silverbulletpodcast. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at berryvilleiml.com/podcast.

This is Gary McGraw.

Silver Bullet Security Podcast 155 – Giovanni Vigna

View on Zencastr

On Episode 155 of the Silver Bullet Security Podcast, BIML’s Gary McGraw hosts Giovanni Vigna.  Giovanni talks about the evolution of software exploit and AI, what has happened in the security field since 2011 (and episode 65), getting inside connectionist networks to see what is actually happening, and what it means to be a human hacker with intuition and intention.

Read More

Silver Bullet Security Podcast 154 – Gadi Evron

View on Zencastr

On Episode 154 of the Silver Bullet Security Podcast, Gary McGraw hosts Gadi Evron.  Gadi talks about the [un]prompted conference and its focus on fundamental aspects of machine learning security. The conversation touches on current approaches to MLsec, the words we use to describe AI security issues, and how quickly the field is evolving.

Links

Read More

Silver Bullet Security Podcast: coming soon!

Welcome to the Silver Bullet Security Podcast, created and hosted by the Berryville Institute of Machine Learning, where we are defining the future of machine learning security.  From 2006-2018, we explored the nascent field of software security through the lens of building security in.  But today, the frontier has moved.  As we integrate machine learning into the fabric of our essential systems, we find ourselves facing a new set of architectural flaws and security challenges that traditional software security can’t touch.  On Silver Bullet, we’re shifting our focus to the security of machine learning—bringing the same deep-dive, “no silver bullet” philosophy to the world of AI.

It’s great to be back.