AI-powered fuzzing, introduced by Google's OSS-Fuzz team in 2023, uses large language models to generate more fuzz targets, aiming to automate the process of developing a fuzz target from start to finish. Fuzzing is a software testing technique that injects invalid or random data into a system to uncover security vulnerabilities. The team hopes that OSS-Fuzz will be useful for other researchers to evaluate AI-powered vulnerability discovery ideas and find more vulnerabilities before they are exploited.
Key takeaways:
- Google's OSS-Fuzz team has discovered 26 new vulnerabilities in open-source project maintainers, including a critical one in the OpenSSL library, which is crucial to most internet infrastructure.
- The vulnerabilities were discovered using AI, marking a milestone for automated vulnerability finding. The OpenSSL vulnerability has likely been present for two decades and wouldn't have been discoverable with existing fuzz targets written by humans.
- AI-powered fuzzing, first announced by Google’s OSS-Fuzz team in 2023, aims to leverage large language models to improve fuzzing coverage and uncover more vulnerabilities automatically and before they can be exploited by malicious attackers.
- The ultimate goal of the AI-powered fuzzing process is to completely automate the process of developing a fuzz target from start to finish, which is currently a manual and time-consuming process.