Google has used artificial intelligence to identify 26 new vulnerabilities in open source projects, including a bug in OpenSSL that went undetected for two decades. The bug, dubbed CVE-2024-9143, was an out-of-bounds memory issue that caused program crashes and, in rare cases, launched malicious code.
Image source: AI generation
To search for vulnerabilities and automate the process, Google developers used the fuzz testing method, in which random data is loaded into the code to identify possible failures. The company’s blog notes that the approach was to use the power of large language models (LLMs) to generate more fuzzing targets.
As it turned out, LLMs were “highly effective in emulating the entire workflow of a typical developer to write, test, and triage detected faults.” As a result, artificial intelligence was used to test 272 software projects, where 26 vulnerabilities were discovered, including an “ancient” bug in OpenSSL.
According to the researchers, the reason the bug went undetected for 20 years was because it was difficult to test individual scripts of the code, and because the code was considered to have already been thoroughly tested and therefore did not attract much attention. “Tests are not capable of measuring all possible paths through which a program can be executed. Different settings, flags and configurations can also activate different behaviors that reveal new vulnerabilities,” the experts explained. Fortunately, the error is of low severity due to the minimal risk of operating the process.
Previously, developers manually wrote code for fuzzing tests, but now Google plans to teach AI not only to find vulnerabilities, but also to automatically suggest fixes, minimizing human intervention. “Our goal is to reach a point where we are confident that we can do without manual verification,” the company said.