Google’s AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects
Google has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library.
“These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets,” Google’s open-source security team said in a blog post shared with The Hacker News.
The OpenSSL vulnerability in question is CVE-2024-9143 (CVSS score: 4.3), an out-of-bounds memory write bug that can result in an application crash or remote code execution. The issue has been addressed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl.
Google, which added the ability to leverage large language models (LLMs) to improve fuzzing coverage in OSS-Fuzz in August 2023, said the vulnerability has likely been present in the codebase for two decades and that it “wouldn’t have been discoverable with existing fuzz targets written by humans.”
Furthermore, the tech giant noted that the use of AI to generate fuzz targets has improved code coverage across 272 C/C++ projects, adding over 370,000 lines of new code.
“One reason that such bugs could remain undiscovered for so long is that line coverage is not a guarantee that a function is free of bugs,” Google said. “Code coverage as a metric isn’t able to measure all possible code paths and states—different flags and configurations may trigger different behaviors, unearthing different bugs.”
These AI-assisted vulnerability discoveries are also made possible by the fact that LLMs are proving to be adept at emulating a developer’s fuzzing workflow, thereby allowing for more automation.
The development comes as the company revealed earlier this month that its LLM-based framework called Big Sleep facilitated the detection of a zero-day vulnerability in the SQLite open-source database engine.
In tandem, Google has been working towards transitioning its own codebases to memory-safe languages such as Rust, while also retrofitting mechanisms to address spatial memory safety vulnerabilities – which occur when it’s possible for a piece of code to access memory that’s outside of its intended bounds – within existing C++ projects, including Chrome.
This includes migrating to Safe Buffers and enabling hardened libc++, which adds bounds checking to standard C++ data structures in order to eliminate a significant class of spatial safety bugs. It further noted that the overhead incurred as a result of incorporating the change is minimal (i.e., an average 0.30% performance impact).
“Hardened libc++, recently added by open source contributors, introduces a set of security checks designed to catch vulnerabilities such as out-of-bounds accesses in production,” Google said. “While C++ will not become fully memory-safe, these improvements reduce risk […], leading to more reliable and secure software.”