OSS-Fuzz Reports 26 New Vulnerabilities in Open Source Projects
/ 3 min read
Quick take - OSS-Fuzz has reported 26 new vulnerabilities, including a critical flaw in OpenSSL, highlighting the effectiveness of AI-generated fuzz targets in enhancing software security and the ongoing advancements in automated vulnerability discovery processes.
Fast Facts
- OSS-Fuzz reported 26 new vulnerabilities, including a critical flaw in OpenSSL (CVE-2024-9143), discovered using large language models (LLMs).
- Over eight years, OSS-Fuzz has assisted in fixing over 11,000 vulnerabilities, showcasing the impact of AI in enhancing fuzzing processes.
- The integration of LLMs aims to automate fuzz target development, improving vulnerability discovery and security in open-source projects.
- OSS-Fuzz has open-sourced its framework for LLM-generated fuzz targets, significantly increasing code coverage for 272 C/C++ projects.
- Future goals include fully automating the fuzzing workflow and developing an agent-based architecture for LLMs to autonomously plan and validate solutions.
OSS-Fuzz Reports 26 New Vulnerabilities
OSS-Fuzz has reported 26 new vulnerabilities to open source project maintainers, marking a significant development in the landscape of software security. Among these vulnerabilities is a critical flaw in the OpenSSL library, identified as CVE-2024-9143. This vulnerability is notable for being one of the first critical software vulnerabilities uncovered by large language models (LLMs).
Recent Discoveries and AI Integration
Additionally, a recent discovery by Google highlighted an exploitable stack buffer underflow in the SQLite database engine. Over the past eight years, OSS-Fuzz has played a crucial role in enhancing software security by reporting and assisting maintainers with fixing over 11,000 vulnerabilities. The recent vulnerabilities were discovered using AI-generated and enhanced fuzz targets, showcasing the advancements made in integrating artificial intelligence into fuzzing processes over the last year and a half. This integration aims to improve vulnerability discovery and bolster security measures within open-source projects.
In August 2023, OSS-Fuzz initiated a project to leverage LLMs to enhance fuzzing coverage. This innovative approach involves using LLMs to generate fuzz targets, which function similarly to unit tests in identifying vulnerabilities. The overarching goal is to automate the entire process of developing these fuzz targets, including drafting targets, addressing compilation issues, running tests, and triaging crashes.
Advancements in Fuzzing Processes
By January 2024, OSS-Fuzz successfully open-sourced its framework for LLM-generated fuzz targets. This framework has already generated fuzz targets for 272 C/C++ projects, significantly increasing code coverage by adding over 370,000 lines of new code. Notably, one project saw its coverage improve from just 77 lines to an impressive 5,434 lines, underscoring the efficacy of AI in enhancing testing processes.
The newly reported vulnerabilities were found in projects that had previously undergone extensive fuzzing, indicating the limitations of traditional human-written fuzz targets. For instance, the OpenSSL vulnerability likely existed for two decades and was undetectable by these conventional methods. Furthermore, an AI-generated target identified a new vulnerability in the cJSON project, despite the presence of existing human-written tests.
Ongoing improvements in the fuzzing process focus on generating more relevant context for LLM prompts, with building new infrastructure to index projects within OSS-Fuzz for enhanced prompt accuracy also being a priority. LLMs have demonstrated their capability in emulating a developer’s workflow, encompassing tasks such as drafting fuzz targets, fixing compilation issues, running tests, and triaging crashes to ascertain their causes.
The long-term vision for OSS-Fuzz includes fully automating the workflow, which entails generating patches for identified vulnerabilities and refining automated triaging to minimize the need for human intervention. An agent-based architecture is currently in development, designed to enable LLMs to autonomously plan and validate solutions.
OSS-Fuzz aims to serve as a valuable resource for researchers engaged in AI-powered vulnerability discovery. The open-source framework for AI-powered fuzzing is accessible at oss-fuzz-gen. The OSS-Fuzz blog will provide additional technical updates on these advancements.
Original Source: Read the Full Article Here
