Google calls the AI fuzz to find vulnerabilities
Not familiar with 'fuzzing'? It's a software testing technique that involves feeding invalid, unexpected, or random data into a program to detect coding errors and security vulnerabilities.
Back in August 2023, Google introduced AI-Powered Fuzzing, using large language models (LLM) to improve fuzzing coverage to find more vulnerabilities automatically -- before malicious attackers could exploit them.
Recently the company's OSS-Fuzz team reported 26 new vulnerabilities to open source project maintainers, including one vulnerability in the critical OpenSSL library (CVE-2024-9143) that underpins much of internet infrastructure.
The team used AI-generated and enhanced fuzz targets to detect these vulnerabilities, representing a milestone for automated vulnerability finding. Each was found with AI, using AI-generated and enhanced fuzz targets. The OpenSSL CVE is one of the first vulnerabilities in a critical piece of software that was discovered by LLMs, adding another real-world example to a recent Google discovery of an exploitable stack buffer underflow in the widely used database engine SQLite.
To get these results the team has made two major advances. The first is automatically generating more relevant context in prompts. The more complete and relevant information the LLM is given about a project, the less likely it is to hallucinate the missing details in its response.
The second is the discovery that LLMs have turned out to be highly effective at emulating a typical developer's entire workflow of writing, testing, and iterating on the fuzz target, as well as triaging the crashes found. This makes it possible to further automate more parts of the fuzzing workflow. This additional feedback in turn also results in higher quality and greater number of correct fuzz targets.
Google's ultimate goal is to fully automate the entire workflow by having the LLM generate a suggested patch for the vulnerability that it finds.
You can read more with a detailed explanation of the fuzzing workflow on the Google security blog.
Image credit: Pixinooo/depositphotos.com