AI In Fuzzing Uncovers Critical OpenSSL Vulnerabilities
Artificial Intelligence (AI) is the hottest online commodity right now, and its integration into AI in fuzzing and automated vulnerability discovery is proving to be a game changer. Recently, OSS-Fuzz, a Google initiative aimed at enhancing open-source security, reported 26 new vulnerabilities discovered using AI, including a critical flaw in the OpenSSL library (CVE-2024-9143). This vulnerability, which had likely been present for nearly two decades, was identified through AI-powered fuzzing.
Traditionally, fuzzing has been a manual process involving the generation of fuzz targets—small, automated programs designed to stress-test software for vulnerabilities. However, AI has transformed this process, enabling more efficient, expansive, and precise testing.
By using AI models, particularly large language models (LLMs), OSS-Fuzz has improved its fuzzing capabilities. These AI-powered systems can generate fuzz targets that cover more code paths and introduce new variations, uncovering vulnerabilities that would otherwise remain hidden.
The Integration of AI in Fuzzing Vulnerabilities
The integration of AI in fuzzing was first announced by the OSS-Fuzz team in August 2023. The team introduced AI-powered fuzzing to automatically generate fuzz targets for testing critical open-source software, aiming to discover vulnerabilities early and reduce the window of opportunity for attackers.
The key innovation here is the use of LLMs to generate fuzz targets—essentially unit tests that focus on specific functionality within software, looking for potential bugs or security flaws. The AI’s ability to create fuzz targets based on coding patterns and historical data from existing tests allowed OSS-Fuzz to automate the previously manual process of developing and refining these targets.
The results of this approach were evident as the AI-generated fuzz targets increased code coverage across a wide range of C/C++ projects. OSS-Fuzz, which had been testing 160 projects before AI integration, expanded this number to 272 projects, covering an additional 370,000 lines of code.
Your browser does not support the video tag.
The most interesting improvement was observed in a single project where coverage increased by 7,000%—from 77 lines to 5,434 lines. This surge in code coverage directly contributed to the discovery of 26 new vulnerabilities, with CVE-2024-9143 in OpenSSL being the most notable. This vulnerability had likely existed for two decades and could not have been discovered using traditional human-written fuzz targets.
How AI-powered Fuzzing Helps in Mitigating Vulnerabilities
AI’s ability to uncover these hidden vulnerabilities is due, in part, to its capacity to explore previously untested code paths. While traditional fuzzing measures code coverage, which helps to indicate which portions of code have been tested, it doesn’t necessarily guarantee the detection of all vulnerabilities.
The AI-powered fuzzing system generates new and varied fuzz targets that account for different behaviors, configurations, and edge cases, thereby ensuring a more thorough search for bugs. Even when code coverage metrics appear sufficient, the AI’s enhanced fuzzing can still uncover previously overlooked issues. This is exemplified by the discovery of a bug in the cJSON project, where AI-generated fuzz targets found a vulnerability in a function already covered by human-written tests.
In addition to improving fuzz coverage, the AI system has evolved to simulate a developer’s workflow, incorporating steps such as fixing compilation errors, running fuzz targets, and triaging crashes. The goal is to create a fully automated fuzzing process that reduces manual intervention while increasing the accuracy and speed of vulnerability detection. In January 2024, OSS-Fuzz open-sourced its framework, enabling other researchers to experiment with AI-powered fuzzing in their own environments. At that point, the AI models had already demonstrated the ability to generate functional fuzz targets across 160 projects, further validating the efficacy of this approach.