Artificial Intelligence (AI) has become a highly sought-after commodity in the online realm, and its incorporation into fuzzing and automated vulnerability discovery has brought about significant changes. The recent success of OSS-Fuzz, a Google initiative aimed at bolstering open-source security, in detecting 26 new vulnerabilities using AI, including a critical flaw in the OpenSSL library (CVE-2024-9143), highlights the impact of AI-powered fuzzing.
Traditionally, fuzzing has involved a manual process of generating fuzz targets to stress-test software for vulnerabilities. However, the introduction of AI has revolutionized this process, leading to more efficient, comprehensive, and accurate testing. By leveraging AI models, particularly large language models (LLMs), OSS-Fuzz has enhanced its fuzzing capabilities. These AI-powered systems have the ability to create fuzz targets that cover a wider array of code paths and introduce new variations, uncovering vulnerabilities that may have remained undetected otherwise.
The integration of AI into fuzzing was first announced by the OSS-Fuzz team in August 2023. This initiative aimed to use AI-powered fuzzing to automatically generate fuzz targets for testing critical open-source software, with the goal of identifying vulnerabilities early on and reducing the window of opportunity for potential attackers. The key innovation lies in the utilization of LLMs to generate fuzz targets, focusing on specific functionality within software to identify potential bugs or security flaws. The AI’s capacity to develop fuzz targets based on coding patterns and historical data from existing tests has enabled OSS-Fuzz to automate the previously manual process of creating and refining these targets.
The results of this AI-powered approach were evident as OSS-Fuzz saw a significant increase in code coverage across various C/C++ projects. The number of projects tested by OSS-Fuzz increased from 160 to 272, covering an additional 370,000 lines of code. One project even experienced a whopping 7,000% surge in code coverage, from 77 lines to 5,434 lines, leading to the discovery of 26 new vulnerabilities, with the OpenSSL vulnerability (CVE-2024-9143) standing out as one of the most critical. This vulnerability, which had potentially existed for two decades, could not have been detected using traditional human-written fuzz targets.
AI’s prowess in uncovering hidden vulnerabilities stems from its ability to explore uncharted code paths that traditional fuzzing might overlook. While traditional methods focus on code coverage, AI-powered fuzzing generates diverse fuzz targets that consider various behaviors, configurations, and edge cases, ensuring a more thorough bug search. Even when code coverage metrics seem adequate, AI-powered fuzzing can still identify overlooked vulnerabilities, as evidenced by the discovery of a bug in the cJSON project. The AI-generated fuzz targets identified a vulnerability in a function that was already covered by human-written tests.
Moreover, the AI system has evolved to mimic a developer’s workflow by automating steps such as fixing compilation errors, running fuzz targets, and triaging crashes. This automated fuzzing process aims to reduce manual intervention while enhancing the speed and accuracy of vulnerability detection. In January 2024, OSS-Fuzz made its framework open-source, allowing other researchers to explore AI-powered fuzzing in their own settings. By demonstrating the capability to generate functional fuzz targets across a wide range of projects, AI models have proven their effectiveness in this domain.