Google’s OSS-Fuzz tool, now enhanced with AI capabilities, has discovered 26 new vulnerabilities in open-source projects, including a long-overlooked flaw in the vital OpenSSL library.
OSS-Fuzz is a Google-developed fuzzing system that the company has been using to continuously test hundreds of open-source projects since 2016. In August 2023, Google first announced it was working on bringing the capabilities of large-language models (LLMs) to OSS-Fuzz, initially focusing on using LLMs to develop fuzz targets, which is one of the most time-consuming manual steps in the fuzzing process.
Since then, Google has improved its AI-powered fuzzing framework for OSS-Fuzz to add additional capabilities, including the ability to automatically fix compilation issues and other errors in fuzz targets, and to continuously run the final target while triaging any crashes, Google said in a blog post Wednesday.
The target development step was also enhanced through the automatic generation of more relevant context about a project to include in the LLM’s prompt, reducing the likelihood of hallucinations. The improvements made over the last year and a half have led to an increase in code coverage for 272 C/C++ projects in OSS-Fuzz, with a total of more than 370,000 new lines of code now being covered.
Using the AI-powered fuzzing tool, Google has discovered a total of 26 bugs in open-source projects that the company said could not have been discovered without the new targets generated by the LLM. In all 26 cases, the Vertex AI code-bison model was used as the LLM component, although Google’s AI-powered fuzzing framework also supports other models including Gemini models and OpenAI’s GPT models.
Most of the discovered vulnerabilities were out-of-bound read flaws, with one of the most notable being an out-of-bounds read/write flaw in OpenSSL, tracked as CVE-2024-9143, which Google said went overlooked for 20 years despite hundreds of thousands of hours of previous fuzzing undergone by the widely-used project. All of the flaws were reported to their respective maintainers, with the OpenSSL flaw being reported in September 2024 and fixed in October 2024.
Currently, Google’s AI-powered OSS-Fuzz system follows a four-step process, starting with drafting of an initial fuzz target when provided with detailed information about the project to be tested. Next, the target is compiled, and any compilations errors are presented to the LLM, which analyzes them and generates fixes to be applied.
The third step of the process involves initial running of the fuzz target in order to identify and resolve any problems with the fuzz target itself that can lead to runtime issues and immediate crashes, which the LLM is also able to perform using the prompts developed by Google. Lastly, the final fuzz target is run continuously and the LLM is used to triage any crashes to determine the root cause, including any previously undiscovered bugs in the software.
Google plans to eventually improve its AI-powered OSS-Fuzz process to make it more autonomous, reducing the need for human review so that vulnerabilities can be automatically reported to project maintainers by the AI agent. There are also plans to provide the AI with more resources and tools, such as debuggers, that it can use autonomously to obtain more information and validate its own results without human intervention, similar to another Google project, Big Sleep, which uses an LLM agent to simulate the workflow of a human security researcher.
The framework Google built to add AI capabilities to its OSS-Fuzz project has been open-source since January 2024, with the public GitHub repository including a usage guide for how to use the framework and more details about the bugs discovered and projects covered by the AI-powered tool so far.
