Friday, November 22, 2024

Google Confirms Critical 20-Year-Old Security Flaw Using New Fuzzy AI

Must read

It’s all too easy to berate Google for poor security when vulnerabilities are found in products such as the Chrome browser on a regular basis, or when Gmail users come under attack. However, the truth is that Google is at the forefront of security research, and many of those vulnerabilities are found by Google’s own highly specialized teams. The Google Threat Analysis Group, best known for uncovering zero-day threats in Google’s own products, has a remit to “counter government-backed hacking and attacks against Google and our users,” and the Jigsaw Unit “explores threats to open societies,” for example. However, you can add another group of dedicated security boffins to the list, and this one knows a thing or two about using AI in the defensive effort: Google’s OSS-Fuzz team. Here’s how it found 26 new vulnerabilities to open-source project maintainers, including one in the critical OpenSSL library crucial to most internet infrastructure.

ForbesLocation And Route Data Deletions Will Start May 18, Google Says

Google’s OSS-Fuzz Team Uses AI-Generated Targets To Uncover Long-Hidden Security Vulnerabilities

Hot on the heels of the discovery of a previously unknown, zero-day, exploitable memory-safety vulnerability in widely used real-world software by Google’s large language model-assisted AI vulnerability detection agent Big Sleep, a world first according to Google, comes another critical security discovery with AI firmly in the driving seat.

As reported by Oliver Chang, Dongge Liu, and Jonathan Metzman from Google’s open source security team, 26 newly discovered vulnerabilities “represent a milestone for automated vulnerability finding,” as they were all found with AI. The CVE-2024-9143 vulnerability in the critical OpenSSL library underpinning much of internet infrastructure is of particular significance, the Google report said, because, as far as the researchers could tell, “this vulnerability has likely been present for two decades and wouldn’t have been discoverable with existing fuzz targets written by humans.”

The OpenSSL CVE is one of the first vulnerabilities in a critical piece of software that LLMs discovered. It’s an out-of-bounds memory issue that could lead to an application crash and, according to the National Vulnerability Database could lead to the possibility of remote code execution. “We reported this vulnerability on September 16 and a fix was published on October 16,” the Google researchers said.

ForbesDon’t Hold Down The Ctrl Key—New Warning As Cyber Attacks Confirmed

The Evolution Of AI-Powered Fuzzing

AI-powered fuzzing was first announced to the world by Google’s OSS-Fuzz team Aug. 16, 2023. It was an ambitious project, looking to leverage large language models to improve fuzzing coverage and uncover more vulnerabilities automatically. Automatically and, crucially, before they could be exploited by malicious attackers. “Our approach was to use the coding abilities of an LLM to generate more fuzz targets,” the team said, “which are similar to unit tests that exercise relevant functionality to search for vulnerabilities.”

The ultimate aim is to completely automate the process, currently a manual and time-consuming one, of developing a fuzz target from start to finish. Simply put, fuzzing is a software testing technique to inject invalid or random data into a system, automatically, with a view to uncovering security vulnerabilities. While the fuzzing process is automated, the target development isn’t. That’s where the AI-generated fuzz target project comes in.

ForbesGoogle Confirms $1 Trillion AI Security Protection For Pixel Users

“We hope OSS-Fuzz will be useful for other researchers to evaluate AI-powered vulnerability discovery ideas,” the Google researchers said, “and ultimately become a tool that will enable defenders to find more vulnerabilities before they get exploited.”

Latest article