Fuzzing can be a useful tool for finding zero-day vulnerabilities in software. To encourage its use by developers and researchers, Google announced Wednesday that it is providing free access to its fuzzing framework, OSS-Fuzz.
According to Google, substantial security improvements can be achieved by using frameworks that automate the manual aspects of fuzz testing with the help of large-scale language models (LLMs). “We use LLM to improve fuzzing coverage and project-specific code to find more vulnerabilities,” Google Open Source Security team members Dongge Liu and Oliver Chang, and machine language security team members Jan Nowakowski and Jan Keller wrote on the company blog. “Written,” he wrote.
So far, the expanded fuzzing coverage provided by improvements made by OSS-Fuzz and LLM has enabled Google to discover two new vulnerabilities in cJSON and libplist. They noted that although both widely used projects have already been fuzzed for several years. Without fully LLM-generated code, these two vulnerabilities would have remained undetected and unfixed forever, they added.
Fuzzing is automated testing
“Fuzzing has been around for decades and is gaining popularity for its success in finding previously unknown or zero-day vulnerabilities,” said John McShane, senior security product manager at Synopsys Software Integrity Group, a provider of security platforms optimized for DevSecOps. “He says. “The infamous Heartbleed vulnerability was discovered by security engineers using Defensics, a commercial fuzzing product.”
Gisela Hinojosa, director of cybersecurity services at penetration testing firm Cobalt Labs, added that while fuzzing can catch a lot of the “low hanging fruit,” it can also expose some high-impact items like buffer overflows. “Because fuzzing is an automated test, you don’t need a babysitter,” she says. “It just does its job, so you don’t have to worry. “It’s a relatively easy way to find vulnerabilities.”
Fuzzing is not a replacement for a designed security strategy
But Shane Miller, advisor to the Rust Foundation and senior fellow at the Atlantic Council, an international affairs and economics think tank in Washington, D.C., warns: “Investments in dynamic testing tools like fuzzing are no substitute for security testing. Intentional tactics, such as choosing a memory-safe programming language, are powerful tools for improving software security.”
