Priya PatelTLDR:
- Google is now offering free access to its fuzzing framework, OSS-Fuzz, in an effort to encourage developers and researchers to use the tool to find zero-day vulnerabilities in software.
- OSS-Fuzz uses large language models (LLMs) to automate the manual aspects of fuzz testing and improve coverage.
- Google has already used OSS-Fuzz and LLM-generated improvements to discover two new vulnerabilities in widely-used projects.
Google is making its fuzzing framework, OSS-Fuzz, available for free to developers and researchers. Fuzzing is an automated test technique used to uncover zero-day vulnerabilities in software. Google has been using large language models (LLMs) to boost the fuzzing coverage and find more vulnerabilities. The company has discovered two new vulnerabilities in the widely-used projects cJSON and libplist thanks to the expanded fuzzing coverage offered by LLM-generated improvements. Google hopes that by offering free access to its fuzzing framework, it will encourage more developers to use fuzzing as a tool to find vulnerabilities.
Fuzzing has proven successful in finding previously unknown or zero-day vulnerabilities. However, it has been hindered by its manual aspects, which deter open-source maintainers from effectively fuzzing their projects. Google’s free access to OSS-Fuzz aims to address this issue. Open-source maintainers, who are often volunteers with limited funding, may not have the time or resources to use resource-intensive tools for fuzzing. Fuzzing tools are also known to produce a large number of false positives, adding extra work to an already stretched team. By offering free access, Google hopes to make fuzzing more accessible and easier for developers to implement.
While fuzzing is an effective tool for finding vulnerabilities, it is not a substitute for secure-by-design practices. Secure-by-design tactics, such as choosing memory-safe programming languages, are essential. Fuzzing, however, helps expand the scope of testing by exploring software behavior with unexpected inputs that can reveal vulnerabilities. By using fuzzing in combination with secure-by-design practices, developers can improve the security of their software.
Google is also offering guidance on using LLMs to build an auto-patching pipeline. The AI-powered patching approach using LLMs resolved 15% of targeted bugs, saving significant time for engineers. However, safety is emphasized as the most important part of patching. Automated patching should be reviewed by a human to ensure that the patch does not introduce new problems. The challenge for the LLM in automated patching is to have all the necessary contextual knowledge to patch effectively without causing issues.
In summary, Google is providing free access to its fuzzing framework, OSS-Fuzz, to encourage developers and researchers to use fuzzing as a tool to find vulnerabilities. By using large language models (LLMs) to automate fuzz testing, Google was able to discover new vulnerabilities in widely-used projects. Fuzzing is not a substitute for secure-by-design practices, but it can help improve the security of software when used alongside these practices. Google is also offering guidance on using LLMs for auto-patching, although safety remains the most important aspect of patching.
