Google's OSS-Fuzz, an artificial intelligence-based fuzz testing tool, has achieved remarkable results recently, successfully discovering vulnerabilities in 26 open source code libraries, including a medium-severity vulnerability in the nearly 20-year-old OpenSSL encryption library. This breakthrough marks a new milestone in automated vulnerability detection. AI-generated fuzz testing targets have demonstrated powerful capabilities in improving code coverage and discovering deep vulnerabilities. This article will detail the latest findings of OSS-Fuzz, the role of AI technology in it, and the measures Google has taken to improve code security.
Recently, Google announced that its artificial intelligence-based fuzz testing tool OSS-Fuzz successfully discovered vulnerabilities in 26 open source code libraries, including a medium-severity vulnerability in the OpenSSL encryption library.
"The discovery of these vulnerabilities marks a new milestone in automated vulnerability detection: each vulnerability is found through AI-generated and enhanced fuzz testing targets," Google's open source security team said in a shared blog post.
Picture source note: The picture is generated by AI, and the picture authorization service provider Midjourney
The OpenSSL vulnerability number discovered this time is CVE-2024-9143 (CVSS score 4.3), which manifests as an out-of-bounds memory write error that may lead to application crash or remote code execution. This issue has been fixed in multiple versions of OpenSSL, including 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl. Google noted that the flaw may have existed in the code base for nearly 20 years and that traditional human-written fuzz testing targets would not have discovered the issue.
Google also mentioned that with the help of AI-generated fuzz testing targets, the code coverage of 272 C/C++ projects has been improved, adding more than 370,000 lines of new code. Google explains that the reason many bugs go unnoticed is because code coverage does not equate to functionality being bug-free. Code coverage alone does not measure all possible code paths and states, as different flags and configurations may trigger different behaviors and thus expose different vulnerabilities.
This AI-assisted vulnerability discovery also benefits from the excellent performance of large language models (LLMs) in simulating developers' fuzz testing workflow, further increasing the degree of automation. Additionally, Google revealed earlier this month that its LLM-based framework Big Sleep helped detect a zero-day vulnerability in the SQLite open source database engine.
In order to improve the security of its own code base, Google is promoting the migration of code to memory-safe languages such as Rust, and repairing space memory safety vulnerabilities in existing C++ projects. This includes migrating to safe buffers and enabling hardened libc++, which eliminates an important class of spatial security vulnerabilities by adding bounds checks to standard C++ data structures. Google says the performance penalty from implementing these improvements is minimal, averaging just 0.30%.
Google further highlighted that hardened libc++, recently added by open source contributors, introduces a series of security checks designed to catch vulnerabilities such as out-of-bounds access in production environments. Although the C++ language cannot fully implement memory safety, these improvements undoubtedly reduce risks and make software more reliable and secure.
Highlight:
Google's OSS-Fuzz tool discovered vulnerabilities in 26 open source projects, including a nearly 20-year-old OpenSSL vulnerability.
AI-generated fuzz targets improved code coverage on 272 C/C++ projects, adding more than 370,000 lines of new code.
Google is migrating code to memory-safe languages and improving the security of C++ projects through measures such as hardening libc++.
All in all, Google has used AI technology to significantly improve its software security detection capabilities, and its experience provides valuable reference for other institutions. In the future, AI will play an increasingly important role in the field of software security, helping developers build more secure and reliable software systems.