Google security team discovers 20-year-old OpenSSL vulnerability using AI fuzzers
It’s too easy to blame Google for its lack of security when vulnerabilities are regularly discovered in products like the Chrome browser or when Gmail users are attacked. However, the truth is that Google is at the forefront of security research and many of these vulnerabilities are detected by its own highly specialized teams. The Google Threat Analysis Groupbest known for discovering Zero-day threats in Google’s own productshas a mission to “counter government-backed hacking and attacks against Google and our users,” and the Puzzle Unit “explores threats to open societies,” for example. However, you can add another group of dedicated security specialists to the list, and this one knows a thing or two about using AI in the defensive effort: Google OSS-Fuzz team. Here’s how he discovered 26 new vulnerabilities for open source project maintainers, including one in the critical OpenSSL library, crucial to most Internet infrastructure.
Google’s OSS-Fuzz Team Uses AI-Generated Targets to Uncover Long-Hidden Security Vulnerabilities
Following the discovery of a previously unknown exploitable zero-day memory security vulnerability in widely used real-world software Big Sleep, Google’s large language model-assisted AI vulnerability detection agent, a world first according to Google, is another critical security breakthrough with AI firmly in the driver’s seat.
As reported by Oliver Chang, Dongge Liu and Jonathan Metzman of Google’s open source security team, 26 newly discovered vulnerabilities “represent an important step in automated vulnerability scanning” because they were all discovered using the ‘AI. Of particular importance is the CVE-2024-9143 vulnerability in the critical OpenSSL library that underpins much of the Internet infrastructure, Google report saysbecause, according to the researchers, “this vulnerability has probably been present for two decades and could not have been discovered with existing fuzz targets written by humans.”
The OpenSSL CVE is one of the first critical software vulnerabilities discovered by LLM. This is an out of range memory issue that could cause the application to crash and depending on the National Vulnerability Database could lead to the possibility of remote code execution. “We reported this vulnerability on September 16 and a patch was released on October 16,” Google researchers said.
The Evolution of AI-Powered Fuzzing
AI-based fuzzing was first announced to the world by Google’s OSS-Fuzz team on August 16, 2023. It was an ambitious project, seeking to leverage large language models to improve fuzzing coverage and automatically discover more vulnerabilities. Automatically and, above all, before they can be exploited by malicious attackers. “Our approach was to use the coding capabilities of an LLM to generate more fuzz targets,” the team said, “which are similar to unit tests that exercise relevant functionality to find vulnerabilities.”
Example of AI-automated fuzzing process
The ultimate goal is to completely automate the currently manual and tedious process of developing a fuzz target from start to finish. Simply put, fuzzing is a software testing technique for automatically injecting invalid or random data into a system, with the aim of discovering security vulnerabilities. Although the fuzzing process is automated, the target development is not. This is where the AI-generated fuzz target project comes in.
“We hope that OSS-Fuzz will be useful to other researchers in evaluating AI-based vulnerability discovery ideas,” the Google researchers said, “and will ultimately become a tool that allows defenders to find more vulnerabilities before they are exploited.”