Google’s Security Team Unveils 20-Year-Old OpenSSL Vulnerability with AI Innovation
SOPA Images/LightRocket via Getty Images
It’s easy to point fingers at Google when vulnerabilities appear in popular products like Chrome or when Gmail users face security threats. However, it’s essential to recognize that Google is pioneering advancements in security research. Behind many of these discoveries are specialized teams, including the renowned Google Threat Analysis Group and the innovative Jigsaw Unit, both focused on thwarting attacks and securing open societies. Recently, another team has emerged with groundbreaking contributions—the OSS-Fuzz team, known for harnessing the power of AI to bolster defenses. This team has made waves by identifying 26 new vulnerabilities in open-source projects, including a critical flaw in OpenSSL, a key component of global internet infrastructure.
Uncovering Hidden Vulnerabilities with AI
Following the recent identification of a zero-day vulnerability in widely used software by Google’s AI vulnerability detection agent, Big Sleep, the company has further showcased its capabilities in security discovery through AI. As highlighted in a report by Google’s security experts Oliver Chang, Dongge Liu, and Jonathan Metzman, the 26 uncovered vulnerabilities are a substantial achievement for automated vulnerability detection, particularly the CVE-2024-9143, which affects the OpenSSL library. Notably, this flaw is believed to have existed for two decades and was virtually undetectable with human-generated fuzzing targets.
The OpenSSL vulnerability, characterized as an out-of-bounds memory issue, poses significant risks such as potential application crashes and remote code execution, which could create opportunities for attackers. The Google researchers promptly reported the issue on September 16, with a fix rolled out by October 16.
The Evolution of AI-Driven Fuzzing Techniques
Google’s OSS-Fuzz team first announced their pioneering AI-powered fuzzing initiative in August 2023, aiming to leverage large language models to automate and enhance fuzzing processes. This innovative method seeks to increase fuzzing coverage and identify vulnerabilities before malicious actors can exploit them. The approach involves using the coding capabilities of AI models to generate fuzz targets—essentially unit tests designed to probe software functionality for vulnerabilities.
The ultimate goal is to transform what has typically been a labor-intensive manual process into a fully automated one. Fuzzing itself is a technique where invalid or random data is introduced into a system to discover security weaknesses. While the process of fuzzing is automated, developing targets has not been, which is where AI comes into play for the OSS-Fuzz team.
“We believe OSS-Fuzz can serve as a valuable resource for researchers exploring AI-driven vulnerability detection,” the team expressed. “Ultimately, we hope it can empower defenders to proactively uncover vulnerabilities before they can be exploited.”
The AI Buzz Hub team is excited to see where these breakthroughs take us. Want to stay in the loop on all things AI? Subscribe to our newsletter or share this article with your fellow enthusiasts.
