Google revealed that its AI-based fuzzing tool OSS-Fuzz was used to detect 26 vulnerabilities in various open-source repositories, including a medium-severity flaw in the OpenSSL cryptographic library.
“These specific vulnerabilities represent a major milestone for automated vulnerability discovery: each one was found using artificial intelligence using AI-generated and enhanced fuzz targets,” Google’s Open Source Security Team said in a blog post shared with The Hacker News.
OpenSSL vulnerability addressed CVE-2024-9143 (CVSS Score: 4.3), an out-of-memory write error that could cause an application or remote code execution to crash. There was a problem addressed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl.
Google that added the feature leverage large language models (LLM) to improve fuzzing coverage in OSS-Fuzz in August 2023, said the vulnerability has likely been present in the codebase for two decades and that it “would not have been detected with existing human-written fuzzing targets “.
In addition, the technology giant noted that the use of artificial intelligence to generate fluffy targets improved code coverage in 272 C/C++ projects by adding more than 370,000 lines of new code.
“One of the reasons that bugs like this can go undetected for so long is that line coverage is no guarantee that a feature is bug-free,” Google said. “Code coverage as a metric cannot measure all possible code paths and states—different flags and configurations can cause different behaviors, revealing different errors.”
These AI-assisted vulnerability detections are also made possible by LLMs proving adept at emulating a developer’s workflow, allowing for more automation.
The development is in line with the company revealed Earlier this month, his LLM-based framework called Big Sleep contributed to the discovery of a zero-day vulnerability in the open source SQLite database engine.
In tandem, Google is working on this transitory own code bases memory-safe languages such as Rust, while also modernizing mechanisms to address spatial memory security vulnerabilities – which occur when a piece of code can access memory that is outside of its intended boundaries – in existing C++ projects, including Chrome.
This includes migrating to Safe buffers and allows fixed libc++which adds bounds checking to standard C++ data structures to address a significant class of spatial safety bugs. In addition, the overhead incurred as a result of incorporating the change was noted to be minimal (ie, on average 0.30% performance impact).
“The hardened libc++ library, recently added by open source contributors, provides a set of security checks designed to detect vulnerabilities such as out-of-bounds in production” Google said. “While C++ will not become completely memory-safe, these improvements reduce the risk (…), resulting in more robust and secure software.”
