Codex Exposed Helping Hackers in Training
In June 2020, OpenAI released version 3 of its Generative Pre-trained Transformer (GPT-3), a natural language transformer that took the tech world by storm with its uncanny ability to generate text seemingly written by humans. But GPT-3 was also trained on computer code, and recently OpenAI released a specialized version of its engine, named Codex, tailored to help — or perhaps even replace — computer programmers.
In a series of blog posts, we explore different aspects of Codex and assess its capabilities with a focus on the security aspects that affect not only regular developers but also malicious users. This is the fourth and final part of the series. (Read the first, second, and third parts.)
Codex’s sales pitch remains that of a coding assistant: a tool aimed at reducing the time and effort a programmer must put in to perform repetitive tasks, learning new skills and finding solutions to known, recurrent problems.
These capabilities will be appreciated not only by experienced programmers watching their time spent on boilerplate code get shorter, but also by newcomers, amateur programming students who are now able to take advantage of a smart assistant’s suggestions, which are drawn from the collective experience of the codebase it was trained on.
So, what possibilities does a coding assistant like Codex offer to hackers in training, or to budding malicious actors trying to learn the malicious tricks of the trade? To answer this question, we put ourselves in the shoes of a rookie hacker and tried to see how Codex could help us improve and learn new skills.
Coding a keylogger from scratch
As a first example, we asked Codex to write a keylogger. Initially, the system took this quite literally, as its output was code that gets a keystroke and logs it using Python’s logging facility. As with an infamous paper clip–shaped helper tool from a renowned office suite, this was literally correct, but not what we wanted.