Google’s OSS-Fuzz tool, now enhanced with AI capabilities, has discovered 26 new vulnerabilities in open source projects, including a long-neglected flaw in the vital OpenSSL library.
OSS-Fuzz is a fuzzing system developed by Google that the company has used to continuously test hundreds of open source projects since 2016. As of August 2023, Google announced for the first time he was working to integrate the capabilities of Large Language Models (LLM) into OSS-Fuzz, initially focusing on using LLMs to develop fuzz targets, which is one of the most time-consuming manual steps in the process of fuzz.
Since then, Google has enhanced its AI-driven fuzzing framework for OSS-Fuzz to add additional features, including the ability to automatically fix compilation issues and other errors in fuzz targets, and Continuously run the final target while sorting out crashes. Google said in a blog post on Wednesday.
The target development stage was also improved by automatically generating more relevant context about a project to include in the LLM prompt, reducing the risk of hallucinations. Improvements over the past year and a half have led to an increase in code coverage for 272 C/C++ projects in OSS-Fuzz, with a total of over 370,000 new lines of code now covered.
Thanks to the AI-based fuzzing tool, Google discovered a total of 26 bugs in open source projects that the company says could not have been discovered without the new targets generated by the LLM. In all 26 cases, Vertex AI’s code-bison model was used as the LLM component, although Google’s AI-powered fuzzing framework also supports other models, including Gemini models and GPT models from OpenAI.
Most of the vulnerabilities discovered were out-of-bounds read flaws, with one of the most notable being an out-of-bounds read/write flaw in OpenSSL, followed by CVE-2024-9143which Google says has been neglected for 20 years despite hundreds of thousands of hours of fuzzing the widely used project underwent. All vulnerabilities have been reported to their respective maintainers, with the OpenSSL vulnerability reported in September 2024 and fixed in October 2024.
Currently, Google’s AI-powered OSS-Fuzz system follows a four-step process, starting with drafting an initial fuzz target when provided with detailed information about the project to be tested. Then the target is compiled and any compilation errors are presented to the LLM, which analyzes them and generates fixes to apply.
The third step in the process involves the initial execution of the fuzz target in order to identify and resolve any issues with the fuzz target itself that may cause execution issues and immediate crashes, which the LLM is also capable of ‘perform using prompts developed by Google. . Finally, the final fuzz target is run continuously and the LLM is used to triage all crashes to determine the root cause, including previously undiscovered bugs in the software.
Google plans to eventually improve its AI-based OSS-Fuzz process to make it more autonomous, reducing the need for human review so that vulnerabilities can be automatically reported to project managers by the AI agent. It is also planned to provide the AI with more resources and tools, such as debuggers, which it can use autonomously to obtain more information and validate its own results without human intervention, similar to from another Google project, Great sleepwhich uses an LLM agent to simulate the workflow of a human security researcher.
The framework built by Google to add AI functionality to its OSS-Fuzz project has been open source since January 2024, with the public GitHub repository including a user guide explaining how to use the framework and more details on the bugs discovered and projects covered by the AI-powered tool so far.