Google has announced that its AI-powered fuzzing tool, OSS-Fuzz, has successfully identified 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library.
“These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets,” Google’s open-source security team stated in a blog post shared with The Hacker News.
The identified OpenSSL vulnerability, CVE-2024-9143, has a CVSS score of 4.3 and is an out-of-bounds memory write bug that can lead to application crashes or remote code execution. This issue has been fixed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl.
Google introduced the use of large language models (LLMs) to enhance fuzzing coverage in OSS-Fuzz in August 2023. The company noted that this vulnerability likely existed in the codebase for two decades and that it “wouldn’t have been discoverable with existing fuzz targets written by humans.”
The utilization of AI-generated fuzz targets has improved code coverage across 272 C/C++ projects, adding over 370,000 lines of new code. Google’s team emphasized that line coverage does not guarantee bug-free code, as different flags and configurations can trigger various behaviors, uncovering different bugs.
These AI-assisted discoveries are enabled by LLMs’ ability to emulate a developer’s fuzzing workflow, facilitating greater automation. Earlier this month, Google disclosed that its LLM-based framework, Big Sleep, helped detect a zero-day vulnerability in the SQLite open-source database engine.
In parallel, Google has been transitioning its codebases to memory-safe languages such as Rust and retrofitting mechanisms to address spatial memory safety vulnerabilities within existing C++ projects, including Chrome. This includes migrating to Safe Buffers and enabling hardened libc++, which adds bounds checking to standard C++ data structures to eliminate a significant class of spatial safety bugs. The company noted that the performance impact of these changes is minimal, averaging 0.30%.
“Hardened libc++, recently added by open source contributors, introduces a set of security checks designed to catch vulnerabilities such as out-of-bounds accesses in production,” Google said. “While C++ will not become fully memory-safe, these improvements reduce risk, leading to more reliable and secure software.”
