Google’s AI-powered bug hunting tool finds a host of concerning open source security flaws
Among the bugs was a flaw in OpenSSL that could leave users vulnerable.
Google’s OSS-Fuzz finds more than two dozen vulnerabilities in different open-source projectsAmong them is a vulnerability in OpenSSL that could result in RCEGoogle sees this as a major milestone in automated bug discovery
Google has found 26 vulnerabilities in different open source code repositories, including a medium-severity flaw in “the critical OpenSSL library that underpins much of internet infrastructure.”
This wouldn’t be much of a news (Google helped find thousands of bugs throughout the years), if the method by which the flaws were discovered wasn’t “artificial”, as the bugs were revealed using its AI-powered fuzzing tool, OSS-Fuzz.
“These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets,” Google explained in a blog post.
Major improvements with LLMs
Among these 26 flaws is an OpenSSL bug tracked as CVE-2024-9143. It has a severity score of 4.3 and is described as an out-of-bounds memory write bug that can crash an app, or allow crooks to mount remote code execution (RCE) malware attacks. OpenSSL has since been upgraded to versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl, to address the flaw.
To make matters even more interesting, Google said the vulnerability was most likely present for two decades, “and wouldn’t have been discoverable with existing fuzz targets written by humans.”
The bug discovery came as a result of two major improvements, the company further explained. The first one is the ability to automatically generate more relevant context in the prompts, which makes the LLM “less likely to hallucinate the missing details in its response.” The second one revolves around the LLM’s ability to emulate a typical developer’s entire workflow, including writing, testing, and iterating on the fuzz target, as well as triaging the crashes found.
“Thanks to this, it was possible to further automate more parts of the fuzzing workflow. This additional iterative feedback in turn also resulted in higher quality and greater number of correct fuzz targets.”
Via The Hacker News
You might also like
One of Google’s “big AI” projects uncovered some serious security threats seemingly all on its ownHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now