Google offers free access to fuzzing framework
Fuzzing can be a valuable tool for ferreting out zero-day vulnerabilities in software. In hopes of encouraging its use by developers and researchers, Google announced Wednesday it’s now offering free access to its fuzzing framework, OSS-Fuzz.
According to Google, tangible security improvements can be obtained by using the framework to automate the manual aspects of fuzz testing with the help of large language models (LLMs). “We used LLMs to write project-specific code to boost fuzzing coverage and find more vulnerabilities,” Google open-source security team members Dongge Liu and Oliver Chang and machine language security team members Jan Nowakowski and Jan Keller wrote in a company blog
So far, OSS-Fuzz and its expanded fuzzing coverage offered by LLM-generated improvements have allowed Google to discover two new vulnerabilities in cJSON and libplist, even though both widely used projects had already been fuzzed for years, they noted. Without the completely LLM-generated code, these two vulnerabilities could have remained undiscovered and unfixed indefinitely, they added.
Fuzzing is an automated test
“Fuzzing has been around for decades and is gaining popularity with its success in finding previously unknown or zero-day vulnerabilities,” says John McShane, senior security product manager at the Synopsys Software Integrity Group, a provider of a security platform optimized for DevSecOps. “The infamous Heartbleed vulnerability was discovered by security engineers using Defensics, a commercial fuzzing product.”
Fuzzing can catch a lot of “low-hanging fruit,” but it can also expose some high-impact items, like buffer overflows, adds Gisela Hinojosa, head of cybersecurity services at Cobalt Labs, a penetration testing company. “Since fuzzing is an automated test, it doesn’t need a babysitter,” she says. “It’ll just do its thing, and you don’t really have to worry about it. It’s a relatively easy way to find vulnerabilities.”
Fuzzing not a substitute for secure-by-design tactics
However, Shane Miller, an advisor to the Rust Foundation and a senior fellow at the Atlantic Council, an international affairs and economics think tank, in Washington, DC, cautions, “Investments in dynamic testing tools like fuzzing are not a substitute for secure-by-design tactics, like choosing memory-safe programming languages, but they are a powerful tool for improving the security of software.”
