- Google's OSS-Fuzz finds more than two dozen vulnerabilities in different open source projects
- Among them is a vulnerability in OpenSSL that could result in RCE
- Google sees this as a major milestone in automated bug discovery
Google has found 26 vulnerabilities in different open source code repositories, including a medium severity flaw in “the critical OpenSSL library that underpins much of the Internet's infrastructure.”
This wouldn't be big news (Google helped find thousands of bugs over the years), if the method by which the flaws were discovered wasn't “artificial”, as the bugs were revealed using its powered fuzzing tool. by AI. OSS-Fuzz.
“These particular vulnerabilities represent a milestone for automated vulnerability hunting: each was found with AI, using AI-generated and enhanced fuzz targets,” Google explained in a blog post.
Major improvements with LLMs
Among these 26 flaws is an OpenSSL bug identified as CVE-2024-9143. It has a severity score of 4.3 and is described as an out-of-bounds memory write error that can crash an application or allow criminals to mount remote code execution (RCE) malware attacks. OpenSSL has since been updated to versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl to fix the flaw.
To make things even more interesting, Google said the vulnerability was likely present for two decades, “and would not have been detectable with existing human-written fuzzy targets.”
The discovery of the bug came as a result of two major improvements, the company explained. The first is the ability to automatically generate more relevant context in the prompts, making the LLM “less likely to hallucinate missing details in your response.” The second revolves around the LLM's ability to emulate the entire workflow of a typical developer, including writing, testing and iterating on the fuzzy target, as well as triaging the bugs found.
“Thanks to this, it was possible to automate even more parts of the fuzzing workflow. This additional iterative feedback, in turn, also resulted in higher quality and a greater number of correct fuzz targets.”
Through Hacker News
