Google’s AI bug hunters sniff out two dozen-plus code gremlins that humans missed

by

Google's AI bug hunters sniff out two dozen-plus code gremlins that humans missed

November 20, 2024 at 12:09PM

Google’s OSS-Fuzz project has identified 26 vulnerabilities, including a critical flaw in OpenSSL. Utilizing AI-driven fuzzing, the tool finds bugs unlikely to be detected by humans. OSS-Fuzz aims to automate the fuzzing workflow, enhancing code testing with large language models to improve security against potential threats.

### Meeting Takeaways:

1. **OSS-Fuzz Project Overview**:
– Google’s OSS-Fuzz project utilizes large language models (LLMs) to detect bugs in code repositories.
– Recently identified 26 vulnerabilities, including a critical flaw in the OpenSSL library (CVE-2024-9143).

2. **Significant Findings**:
– The OpenSSL vulnerability had likely existed for two decades and was not detectable by conventional human-driven fuzzing techniques.
– The discovery stresses the necessity for AI involvement in security research, as threat actors may exploit flaws before they are detected by traditional methods.

3. **Examples of AI Efficacy**:
– A bug in the cJSON project was also found using AI-fueled methods, highlighting the effectiveness of AI in identifying security issues.

4. **New Tools and Innovations**:
– Google announced a new LLM-based tool called Big Sleep for bug hunting.
– Protect AI released an open source tool, Vulnhuntr, which employs Anthropic’s Claude LLM to discover zero-day vulnerabilities in Python projects.

5. **AI-based Fuzzing Development**:
– OSS-Fuzz introduced AI-driven fuzzing in August 2023 to enhance fuzzing coverage across codebases.
– Initial phases of automation handled by OSS-Fuzz include drafting fuzz targets and resolving compilation issues.

6. **Future Plans for Automation**:
– By early 2024, OSS-Fuzz will be open sourced, with ongoing improvements to automate subsequent steps of the fuzzing process.
– The LLM currently aids with the first four steps, with intentions to automate the final step, which involves generating patches for vulnerabilities.

7. **Collaborative Efforts**:
– Google is working with various researchers to achieve full automation in the fuzzing workflow and will share results in the future.

### Action Items:
– Keep track of advancements in AI-driven security tools and their implications for future security protocols.
– Explore further collaboration opportunities with research teams to enhance fuzzing automation workflows.

Full Article