February 5, 2024 at 06:06PM
Google has released an AI-aided fuzzing framework in open source to help find vulnerabilities faster. The tool leverages large language models to generate fuzz targets and has resulted in a 30% increase in code coverage for over 300 projects. The framework allows experimentation and testing of fuzz targets and also looks into using AI for vulnerability patching, showing promising results.
From the provided meeting notes, it is clear that Google has released an AI-aided fuzzing framework in open source to help developers and researchers find vulnerabilities faster. The framework utilizes large language models (LLMs) to generate fuzz targets for real-world C and C++ projects and benchmarks them using Google’s OSS-Fuzz service. By leveraging LLMs, Google was able to increase code coverage by 30% on over 300 OSS-Fuzz C/C++ projects and discover two new vulnerabilities in widely used projects. The open sourced tool includes support for various language models such as Vertex AI code-bison, Gemini Pro, and OpenAI GPT models. The framework evaluates fuzz targets against real-time data using metrics such as compilability, runtime crashes, runtime coverage, and runtime line coverage differences. It successfully generated valid fuzz targets for 160 C/C++ projects, with a maximum line coverage increase of 29% from existing human-written targets. Additionally, Google is exploring the use of LLMs for vulnerability patching and has proposed a project for an automated pipeline to generate and test fixes. This AI-powered patching approach has already resolved 15% of targeted bugs and is expected to lead to significant time savings for engineers. The technology has broad potential to impact various categories throughout the software development process.