An Initiative to Secure the World's Software | Project Glasswing

TL;DR: Anthropic has launched "Project Glasswing," leveraging its newly developed code model, Claude Mythos Preview, to assist critical global software organizations in identifying and patching vulnerabilities. The initiative aims to elevate cybersecurity standards through collective defense. ## New Challenges in Software Security and the Duality of Large Language Models For the vast majority of people who use software in their daily lives, "bugs" are often an invisible concept. Users rarely consider what might happen if the security of the software they rely on suddenly deteriorates, as most vulnerabilities are quickly patched upon discovery without causing noticeable impact. However, software developers face this reality every day: software invariably contains defects and vulnerabilities. Occasionally, critical vulnerabilities are discovered, particularly when they exist in shared software widely used across numerous products or websites. In such cases, a single issue can be amplified globally, causing massive impact. Historically, finding and patching vulnerabilities has been a slow, time-consuming, and expensive process. This landscape is changing with the advancement of Large Language Models (LLMs). Today's LLMs can write code comparable to that produced by top-tier software developers worldwide. From a cybersecurity perspective, this raises the stakes: these models can empower defenders, but they also have the potential to assist attackers in exploiting software. ## Claude Mythos Preview: A Leap in Coding Capabilities and Security Side Effects Anthropic has recently developed a new model, **Claude Mythos Preview**. Early in the development process, the team recognized that the model would see significant improvements in its cybersecurity capabilities. While the trajectory of capability growth was accelerating exponentially, Claude Mythos Preview achieved a substantial leap at a critical juncture. Notably, Anthropic **did not specifically train** the model to excel in cybersecurity; instead, they focused on enhancing its **code processing** abilities. However, as a side effect of its proficiency in coding, the model has demonstrated exceptional performance in the field of cybersecurity. * **Professional-level Detection**: The model’s ability to identify vulnerabilities is largely comparable to that of professional human developers. * **Generation of Complex Exploit Chains**: The model is capable of chaining multiple vulnerabilities together. It can construct sequential exploit chains based on three, four, or even five individual vulnerabilities that may seem low-risk in isolation, ultimately achieving complex attack effects. * **High Autonomy**: The model excels at executing long-term tasks similar to those completed by human security researchers over the course of a day, demonstrating a high degree of autonomy. ## Project Glasswing: Establishing Collective First-Mover Advantage Given the powerful capabilities of Claude Mythos Preview, falling into malicious hands could pose severe risks. Consequently, Anthropic has decided not to release this model broadly. However, since more powerful models will inevitably emerge from Anthropic and other companies in the future, a strategic response plan was necessary. To this end, Anthropic launched **"Project Glasswing."** The core of this initiative is collaborating with organizations behind critical global codebases, providing them access to the model to research how such tools can be used to mitigate risks and protect everyone. * **Collective First-Mover Advantage**: By giving priority access to advanced tools to other software developers, the entire industry gains a collective first-mover advantage. * **Discovery and Remediation**: This enables teams to identify previously undetectable issues and patch them more rapidly. ## Practical Results: Critical Vulnerabilities Found in Major Platforms Through collaboration with partners, the team discovered vulnerabilities across nearly all major platforms. The Anthropic team reported that the number of vulnerabilities found in recent weeks exceeded the total number discovered throughout their entire careers combined. The team used Claude Mythos Preview to scan extensive amounts of open-source code, starting with operating systems, as these form the foundational code supporting the entire internet infrastructure. Here are some specific findings: 1. **OpenBSD**: A vulnerability existing for **27 years** was discovered. Sending a few sets of data to any OpenBSD server could cause it to crash. 2. **Linux**: Several privilege escalation vulnerabilities were identified. Users with no special privileges could elevate their permissions to administrator level simply by running certain binary files locally. For every vulnerability discovered, the team immediately notified the maintainers responsible for running this software. The maintainers promptly applied fixes and deployed patches, ensuring that users of this software were no longer susceptible to such attacks. For developers who tirelessly maintain software, a model that helps them identify vulnerabilities in their own code and patch them before exploitation is an invaluable asset. ## Cross-Industry Collaboration and Social Security Anthropic has communicated with multiple officials from the U.S. government and proposed collaboration to jointly assess the risks of these models and assist in mitigating potential threats they pose. In today’s society, software is integral to every aspect of life. Software has "eaten" the world, and all daily activities are built on the belief that we can rely on the systems underpinning them. Therefore, **cybersecurity is synonymous with societal security.** * **Joint Defense**: It is essential to unite and collaborate across industries to build stronger defensive capabilities. * **Long-term Commitment**: No single organization can see the whole picture or solve this problem alone. This work cannot be completed in just a few weeks; it will require at least months, if not years. Anthropic hopes that through Project Glasswing and similar long-term efforts, software worldwide, user data, financial transactions, and critical infrastructure will become more secure. Source: An initiative to secure the world's software | Project Glasswing (Anthropic) (https://www.youtube.com/watch?v=INGOC6-LLv0)