Google’s AI-Driven OSS-Fuzz Uncovers 26 Flaws in Open-Source Projects

November 21, 2024

Google's artificial intelligence (AI)-fueled fuzzing tool, OSS-Fuzz, has been instrumental in detecting 26 vulnerabilities in multiple open-source code repositories. This includes a medium-level security flaw in the OpenSSL cryptographic library. Google's open-source security team shared that these vulnerabilities signify a significant advancement in automated vulnerability detection, as they were all discovered using AI, with fuzz targets created and enhanced by AI.

One notable vulnerability identified is CVE-2024-9143 in OpenSSL, characterized as a medium-severity out-of-bounds memory write bug. This flaw could potentially cause an application crash or enable remote code execution. It has been rectified in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl. Google added large language model (LLM) capabilities to OSS-Fuzz in August 2023 to enhance fuzzing coverage. The company noted that this specific vulnerability likely existed in the codebase for approximately 20 years and could not have been detected with existing human-written fuzz targets.

The tech giant also emphasized the effectiveness of AI in generating fuzz targets, which has increased code coverage across 272 C/C++ projects, adding more than 370,000 lines of new code. Google explained that bugs can remain undetected for extended periods because line coverage does not guarantee a function is devoid of bugs. Code coverage as a metric fails to measure all possible code paths and states, as different flags and configurations can trigger varied behaviors, exposing different bugs.

The use of LLMs in emulating a developer's fuzzing workflow has facilitated more automation, making these AI-assisted vulnerability discoveries possible. Google also revealed that its LLM-based framework, Big Sleep, helped in identifying a zero-day vulnerability in the SQLite open-source database engine.

Concurrently, Google is transitioning its own codebases to memory-safe languages like Rust and implementing mechanisms to address spatial memory safety vulnerabilities in existing C++ projects, including Chrome. This involves migrating to Safe Buffers and enabling hardened libc++, which introduces bounds checking to standard C++ data structures, thereby eliminating a significant category of spatial safety bugs. The company noted that the performance impact of these changes is minimal, averaging a 0.30% performance impact.

Google further added that hardened libc++ was recently introduced by open-source contributors, adding a set of security checks designed to catch vulnerabilities like out-of-bounds accesses in production. While C++ will not become fully memory-safe, these improvements reduce risk, leading to more reliable and secure software.

Latest News

• Apple Patches Two Zero-Day Vulnerabilities in Intel-Based Macs
• CISA Identifies Actively Exploited Vulnerability in Progress Kemp LoadMaster
• Oracle Addresses Zero-Day Exploit in Agile PLM Software
• D-Link Urges Users to Replace VPN Routers Due to Unresolved RCE Vulnerability
• Helldown Ransomware Targets Zyxel VPN Vulnerability to Infiltrate Networks