Google's AI-powered bug hunting tool finds a host of concerning open source security flaws

AI Education
(Image credit: Pixabay)

  • Google's OSS-Fuzz finds more than two dozen vulnerabilities in different open-source projects
  • Among them is a vulnerability in OpenSSL that could result in RCE
  • Google sees this as a major milestone in automated bug discovery

Google has found 26 vulnerabilities in different open source code repositories, including a medium-severity flaw in “the critical OpenSSL library that underpins much of internet infrastructure.”

This wouldn’t be much of a news (Google helped find thousands of bugs throughout the years), if the method by which the flaws were discovered wasn’t “artificial”, as the bugs were revealed using its AI-powered fuzzing tool, OSS-Fuzz.

"These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets," Google explained in a blog post.

Major improvements with LLMs

Among these 26 flaws is an OpenSSL bug tracked as CVE-2024-9143. It has a severity score of 4.3 and is described as an out-of-bounds memory write bug that can crash an app, or allow crooks to mount remote code execution (RCE) malware attacks. OpenSSL has since been upgraded to versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl, to address the flaw.

To make matters even more interesting, Google said the vulnerability was most likely present for two decades, “and wouldn’t have been discoverable with existing fuzz targets written by humans.”

The bug discovery came as a result of two major improvements, the company further explained. The first one is the ability to automatically generate more relevant context in the prompts, which makes the LLM “less likely to hallucinate the missing details in its response.” The second one revolves around the LLM’s ability to emulate a typical developer’s entire workflow, including writing, testing, and iterating on the fuzz target, as well as triaging the crashes found.

“Thanks to this, it was possible to further automate more parts of the fuzzing workflow. This additional iterative feedback in turn also resulted in higher quality and greater number of correct fuzz targets.”

Via The Hacker News

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
A woman at a table using a Windows laptop, opposite sits a man, neither show their face
Microsoft will now pay you even more to find security bugs in Copilot
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)