Google announced on Wednesday that it is offering free access to its fuzzing framework, OSS-Fuzz, in an effort to encourage its use by developers and researchers. This framework utilizes large language models (LLMs) to automate the manual aspects of fuzz testing and is aimed at uncovering zero-day vulnerabilities in software.
In the company’s security blog post, Google’s open-source security team members Dongge Liu and Oliver Chang, along with machine language security team members Jan Nowakowski and Jan Keller, highlighted the tangible security improvements that can be attained by using OSS-Fuzz and LLMs. They noted that the use of LLMs to write project-specific code has significantly boosted fuzzing coverage and led to the discovery of two new vulnerabilities in widely used projects, cJSON, and libplist.
Despite the fact that both of these projects had already undergone fuzzing for years, the use of LLM-generated code uncovered vulnerabilities that could have otherwise gone unnoticed. This underscores the value of investing in advanced fuzzing techniques for uncovering vulnerabilities that may have remained undiscovered and unfixed indefinitely.
John McShane, senior security product manager at the Synopsys Software Integrity Group, emphasized the growing popularity of fuzzing in uncovering unknown or zero-day vulnerabilities, citing the discovery of the infamous Heartbleed vulnerability using a commercial fuzzing product.
Gisela Hinojosa, head of cybersecurity services at Cobalt Labs, emphasized the automated nature of fuzzing tests and their effectiveness in uncovering both low-hanging fruit and high-impact vulnerabilities such as buffer overflows. The hands-off nature of fuzzing makes it a relatively easy way to detect vulnerabilities without the need for constant oversight.
However, Shane Miller, an advisor to the Rust Foundation and a senior fellow at the Atlantic Council, cautioned that investment in dynamic testing tools like fuzzing should not be seen as a substitute for secure-by-design tactics. While fuzzing is a powerful tool for improving software security, Miller stressed the importance of choosing memory-safe programming languages as part of a comprehensive approach to developing secure software.
Overall, Google’s move to offer free access to its fuzzing framework, OSS-Fuzz, reflects the growing importance of advanced techniques such as LLM-enhanced fuzzing in uncovering vulnerabilities in software. As the threat landscape continues to evolve, embracing innovative approaches to security testing will be essential in mitigating the risks associated with software vulnerabilities.