Recently, Google announced that its AI-based fuzz testing tool OSS-Fuzz successfully identified vulnerabilities in 26 open-source code repositories, including a medium-severity vulnerability in the OpenSSL encryption library.
Google's open-source security team stated in a shared blog post: "The discovery of these vulnerabilities marks a new milestone in automated vulnerability detection: each vulnerability was found through AI-generated and enhanced fuzz testing targets."
Image Source Note: Image generated by AI, licensed from Midjourney
The identified OpenSSL vulnerability is numbered CVE-2024-9143 (with a CVSS score of 4.3), manifesting as an out-of-bounds memory write error that could lead to application crashes or remote code execution. This issue has been fixed in several versions of OpenSSL, including 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl. Google noted that this vulnerability may have existed in the codebase for nearly 20 years, and traditional human-written fuzz testing targets were unable to detect the issue.
Google also mentioned that with the help of AI-generated fuzz testing targets, the code coverage of 272 C/C++ projects has improved, adding over 370,000 lines of new code. Google explained that many errors are overlooked because code coverage does not equate to the absence of vulnerabilities in functionality. Relying solely on code coverage does not measure all possible code paths and states, as different flags and configurations can trigger different behaviors, exposing various vulnerabilities.
This AI-assisted vulnerability discovery has also benefited from the excellent performance of large language models (LLMs) in simulating developer fuzz testing workflows, further enhancing automation. Additionally, Google revealed earlier this month that its LLM-based framework, Big Sleep, helped detect a zero-day vulnerability in the SQLite open-source database engine.
To enhance the security of its own codebase, Google is promoting the migration of code to memory-safe languages like Rust and is addressing spatial memory safety vulnerabilities in existing C++ projects. This includes migrating to safe buffers and enabling hardened libc++, which eliminates a significant class of spatial safety vulnerabilities by adding boundary checks to standard C++ data structures. Google stated that the performance overhead caused by implementing these improvements is minimal, averaging only 0.30%.
Google further emphasized that the recently added hardened libc++ by open-source contributors introduces a series of safety checks aimed at capturing vulnerabilities such as out-of-bounds access in production environments. Although the C++ language cannot achieve complete memory safety, these improvements undoubtedly reduce risks, making software more reliable and secure.
Key Points:
🌟 Google's OSS-Fuzz tool discovered vulnerabilities in 26 open-source projects, including a nearly 20-year-old OpenSSL vulnerability.
🔍 AI-generated fuzz testing targets improved code coverage for 272 C/C++ projects, adding over 370,000 lines of new code.
🔒 Google is migrating code to memory-safe languages and enhancing C++ project security through measures such as hardened libc++.