Google Uses AI to Discover 20-Year-Old Software Bug – PCMag

Google recently used an AI program to help it discover a software bug thats persisted in an open-source software project for the past two decades.

The software bug is among 26 vulnerabilities Google recently identified with the help of a ChatGPT-like AI tool, the company said in a blog post on Wednesday.

Google discovered the vulnerabilities through an approach called "fuzz testing," which involves feeding a software program random data to see if itll crash and then diagnosing the problem. Last year, the companystartedan effort to use large language models to write the fuzz testing code, offloading the work from humans who previously had to conduct the fuzz testing manually.

Our approach was to use the coding abilities of an LLM to generate more fuzz targets, Googles Open Source Security Team wrote in Wednesdays blog post. LLMs turned out to be highly effective at emulating a typical developers entire workflow of writing, testing, and iterating on the fuzz target, as well as triaging the crashes found.

An example of how the LLM does fuzz testing. (Credit: Google)

Since then, Google has applied the AI tool for fuzz testing across 272 software projects, which led it to discover the 26 vulnerabilities, including a 20-year-old bug found in OpenSSL, which is widely used to provide encryption and server authentication for internet connections.

"We reported this vulnerability on September 16 and a fix was published on October 16. As far as we can tell, this vulnerability has likely been present for two decades and wouldnt have been discoverable with existing fuzz targets written by humans," researchers added.

The 20-year-old bug, dubbed CVE-2024-9143, involves the software triggering an "out-of-bounds memory access," which can cause the program to crash or, in rare cases, execute rogue computer code. Fortunately, the bug is low severity due to the minimal risk of the out-of-bounds memory access executing a dangerous process.

Still, Google theorizes the bug went undiscovered because the specific code was presumed to be thoroughly tested and vetted. Code coverage as a metric isnt able to measure all possible code paths and statesdifferent flags and configurations may trigger different behaviors, unearthing different bugs," researchers said. "These examples underscore the need to continue to generate new varieties of fuzz targets even for code that is already fuzzed."

Going forward, Google's Open Source Security Team is working to make the LLMs suggest a patch for any bugs found during the fuzzing process. Another goal is "to get to a point where we're confident about not requiring human review," the team said. "This will help automatically report new vulnerabilities to project maintainers."

The effort joins another Google AI project, dubbed "Big Sleep," which also involves finding security vulnerabilities by using LLMs to mimic the workflow of a human security researcher. Earlier this month, the company said Big Sleep was smart enough to discover a previously unknown and exploitable bug in SQLite, an open-source database engine.

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

I've been working as a journalist for over 15 yearsI got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael's full bio

Read more:
Google Uses AI to Discover 20-Year-Old Software Bug - PCMag