Google security team uncovers 20-year-old OpenSSL vulnerability using AI fuzzers
It’s all too easy to berate Google for poor security when vulnerabilities are found in products such as the Chrome browser on a regular basis, or when Gmail users come under attack. However, the truth is that Google is at the forefront of security research, and many of those vulnerabilities are found by Google’s own highly specialized teams. The Google Threat Analysis Group, best known for uncovering zero-day threats in Google’s own products, has a remit to “counter government-backed hacking and attacks against Google and our users,” and the Jigsaw Unit “explores threats to open societies,” for example. However, you can add another group of dedicated security boffins to the list, and this one knows a thing or two about using AI in the defensive effort: Google’s OSS-Fuzz team. Here’s how it found 26 new vulnerabilities to open-source project maintainers, including one in the critical OpenSSL library crucial to most internet infrastructure.
Google’s OSS-Fuzz Team Uses AI-Generated Targets To Uncover Long-Hidden Security Vulnerabilities
Hot on the heels of the discovery of a previously unknown, zero-day, exploitable memory-safety vulnerability in widely used real-world software by Google’s large language model-assisted AI vulnerability detection agent Big Sleep, a world first according to Google, comes another critical security discovery with AI firmly in the driving seat.
As reported by Oliver Chang, Dongge Liu, and Jonathan Metzman from Google’s open source security team, 26 newly discovered vulnerabilities “represent a milestone for automated vulnerability finding,” as they were all found with AI. The CVE-2024-9143 vulnerability in the critical OpenSSL library underpinning much of internet infrastructure is of particular significance, the Google report said, because, as far as the researchers could tell, “this vulnerability has likely been present for two decades and wouldn’t have been discoverable with existing fuzz targets written by humans.”
The OpenSSL CVE is one of the first vulnerabilities in a critical piece of software that LLMs discovered. It’s an out-of-bounds memory issue that could lead to an application crash and, according to the National Vulnerability Database could lead to the possibility of remote code execution. “We reported this vulnerability on September 16 and a fix was published on October 16,” the Google researchers said.
The Evolution Of AI-Powered Fuzzing
AI-powered fuzzing was first announced to the world by Google’s OSS-Fuzz team Aug. 16, 2023. It was an ambitious project, looking to leverage large language models to improve fuzzing coverage and uncover more vulnerabilities automatically. Automatically and, crucially, before they could be exploited by malicious attackers. “Our approach was to use the coding abilities of an LLM to generate more fuzz targets,” the team said, “which are similar to unit tests that exercise relevant functionality to search for vulnerabilities.”
Example of an automated AI fuzzing process
The ultimate aim is to completely automate the process, currently a manual and time-consuming one, of developing a fuzz target from start to finish. Simply put, fuzzing is a software testing technique to inject invalid or random data into a system, automatically, with a view to uncovering security vulnerabilities. While the fuzzing process is automated, the target development isn’t. That’s where the AI-generated fuzz target project comes in.
“We hope OSS-Fuzz will be useful for other researchers to evaluate AI-powered vulnerability discovery ideas,” the Google researchers said, “and ultimately become a tool that will enable defenders to find more vulnerabilities before they get exploited.”