Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development

Google AI Tool Finds 26 Bugs in Open-Source Projects

One Vulnerability Had Been Undiscovered for Two Decades, Researchers Said
Google AI Tool Finds 26 Bugs in Open-Source Projects
Artificial intelligence fuzzing is finding bugs. (Image: Shutterstock)

Google researchers used an artificial intelligence-powered fuzzing tool to identify 26 vulnerabilities in open-source code repositories, at least one of which had been lurking undiscovered in the codebase for two decades.

See Also: Vá à luta com armas mais inteligentes: acelere seu SOC com IA

"These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI using AI-generated and enhanced fuzz targets," said Google's open-source security team.

Among the vulnerabilities the OSS-Fuzz tool found was a medium-severity flaw in the OpenSSL cryptographic library, tracked as CVE-2024-9143, and an out-of-bounds memory write bug that hackers could exploit to crash an application or execute code remotely. Likely present in the codebase for about two decades, the vulnerability would not have been discoverable with "existing fuzz targets written by humans," the researchers said.

Fuzzing introduces unexpected or random data called "fuzz" into a program to uncover vulnerabilities and errors. The process involves identifying a fuzzing target, a function designed to accept an array of bytes and interact with the software's API. This target is subjected to iterative testing by injecting random or malformed inputs to identify flaws.

"One reason that such bugs could remain undiscovered for so long is that line coverage is not a guarantee that a function is free of bugs," Google said in the blog post. "Code coverage as a metric isn't able to measure all possible code paths and states. Different flags and configurations may trigger different behaviors, unearthing different bugs."

OpenSSL fixed the bug a month after it was reported in mid-September.

Some of the other vulnerabilities OSS-Fuzz discovered are yet to be addressed.

Google in August last year began to use large language models to improve fuzzing coverage in OSS-Fuzz. Using AI to generate fuzz targets also improved code coverage for 272 C/C++ projects, adding over 370,000 lines of new code, it said.

The new blog comes weeks after Google said that its LLM-based framework Big Sleep helped detect an exploitable memory-linked zero-day vulnerability in the SQLite open-source database engine.

The fuzzing cycle includes identifying and resolving any compilation or runtime issues and repeating the process to observe how the system handles the input. Crashes or abnormal behavior during this testing can help pinpoint vulnerabilities or bugs within the software. By iteratively refining inputs, fuzzing tools help developers identify and fix critical issues before they are exploited.

Google's OSS-Fuzz initially supported the early stages of fuzzing, such as drafting a fuzz target and addressing compilation issues. Google open-sourced OSS-Fuzz and has since worked on improving its capabilities to manage the later stages of fuzzing, such as running the fuzz target to identify runtime issues and fixing any mistakes, extended fuzzing of corrected targets to uncover crashes, followed by triaging to trace root causes, and addressing vulnerabilities identified through the fuzzing process.

Google said that its LLM can now automate the first four steps of the fuzzing workflow. The company's roadmap includes extending its capabilities to handle the fifth step - which is fixing vulnerabilities - aiming for a fully integrated and automated fuzzing solution.

"The goal is to fully automate this entire workflow by having the LLM generate a suggested patch for the vulnerability," the researchers said.


About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.