Google has used artificial intelligence to identify 26 new vulnerabilities in open source projects, including a bug in OpenSSL that went undetected for two decades. The bug, dubbed CVE-2024-9143, was an out-of-bounds memory issue that caused program crashes and, in rare cases, launched malicious code.
To search for vulnerabilities and automate the process, Google developers used the fuzz testing method, in which random data is loaded into the code to identify possible failures. The company’s blog notes that the approach was to use the power of large language models (LLMs) to generate more fuzzing targets.
As it turned out, LLMs turned out to be “highly efficient in emulating the entire workflow of a typical developer to write, test, and triage detected failures”. As a result, artificial intelligence was used to test 272 software projects, where 26 vulnerabilities were discovered, including an “ancient” bug in OpenSSL.
According to the researchers, the reason the bug went undetected for 20 years was because it was difficult to test individual scripts of the code, and because the code was considered to have already been thoroughly tested and therefore did not attract much attention. “Tests are not capable of measuring all possible paths through which a program can be executed. Different settings, flags, and configurations can trigger different behaviors that expose new vulnerabilities.“, the experts explained. Fortunately, the error is of low severity due to the minimal risk of operating the process.
Previously, developers manually wrote code for fuzzing tests, but now Google plans to teach AI not only to find vulnerabilities, but also to automatically suggest fixes, minimizing human intervention. “Our goal is to reach a level where we are confident in the ability to do without manual verification“, the company said.
If you notice an error, select it with the mouse and press CTRL+ENTER.