Google Uncovers 20-Year-Old Software Bug Using AI

Google has reached a milestone in cybersecurity with the discovery of a critical 20-year-old software bug in the OpenSSL library. The discovery is part of Google’s ongoing work on OSS-Fuzz, a project aimed at finding and reporting software bugs in open-source projects. Using AI-generated and enhanced fuzz targets—essentially automated tests designed to uncover vulnerabilities—Google recently identified 26 new vulnerabilities, including the OpenSSL bug (CVE-2024-9143).

This achievement is remarkable because traditional human-written fuzz targets had failed to uncover the bug, which had been hidden in the critical OpenSSL codebase for two decades. The AI-generated fuzz targets explored previously untested code paths, enabling the discovery of vulnerabilities that might have otherwise remained undetected. This breakthrough highlights how artificial intelligence transforms vulnerability detection and improves open-source software security.

How AI Software Made It Possible

The breakthrough is powered by a large language model (LLM) integrated into Google’s fuzzing workflow. This AI software enhances coverage by automating tasks that traditionally required manual effort, including:

Drafting Fuzz Targets: The LLM generates targeted tests based on project-specific context.

Fixing Compilation Errors: It iteratively resolves issues during the fuzz target creation process.

Running Initial Tests: The AI refines fuzz targets by fixing runtime issues.

Triage and Analysis: Crashes are analyzed to determine their root causes and whether they represent valid vulnerabilities.

This iterative process has expanded code coverage across 272 projects, significantly improving testing.

Key Vulnerabilities Discovered

In addition to the OpenSSL bug, Google uncovered a vulnerability in the cJSON project, demonstrating the effectiveness of AI-generated fuzz targets in projects previously tested with human-written harnesses. These findings emphasize that even well-tested software can harbor undetected flaws.

Traditional metrics like line coverage often fail to account for all possible code paths and states, making AI-generated fuzz targets an important and useful tool for enhancing security.

The Road Ahead for Google’s AI Products

Google plans to push the boundaries of AI-powered vulnerability detection further. Upcoming goals include automating triage processes to reduce human oversight, integrating AI tools directly into the OSS-Fuzz platform, and enabling LLMs to generate patches for discovered vulnerabilities autonomously.

By incorporating agent-based architectures, which allow AI models to use debugging tools and validate results, Google aims to create a fully automated end-to-end software bug detection and remediation solution.

Google’s discovery underscores the transformative potential of AI tools in securing critical infrastructure. As AI models evolve, they promise to uncover hidden vulnerabilities faster and more effectively than ever, ensuring open-source projects remain robust and secure against exploitation.
The post Google Uncovers 20-Year-Old Software Bug Using AI appeared first on eWEEK.