According to a report by Google's Threat Analysis Group, 2023 saw a significant increase in major zero-day exploits, with zero-day exploits heating up again, from commercial espionage to ransomware attacks, and zero-day vulnerabilities are moving from "niche luxury" to "mass fast-moving goods".
In 2024, zero-day vulnerabilities + ** chain attacks will still be the "best partner" for cyber attacks that will make global enterprises fearful.
In the face of the new "zero-day crisis", Google recently made a major decision to announce that its zero-day vulnerability "burrowing artifact" - fuzzing framework oss-fuzz (link at the end of the article) is available for free. Google claims that the move is to help developers and researchers find software vulnerabilities more easily.
Intelligence and automation of fuzz testing
Fuzzing is a technique that uncovers potential vulnerabilities by feeding unexpected data into software to simulate a malicious attack.
Industry experts generally agree that fuzzing is a powerful software security tool that can identify not only common low-severity vulnerabilities, but also high-risk issues such as buffer overflows. "Fuzzing has been around for decades and is growing in popularity with its success in discovering unknown and zero-day vulnerabilities," said John McShane, senior security product manager at Synopsys Software Integrity Group. The infamous heart hemorrhage vulnerability was discovered by security engineers using the commercial fuzzing product Defensics. ”
Gisela Hinojosa, Head of Cybersecurity Services at Cobalt Labs, added: "Fuzz testing can uncover many 'low-drop' vulnerabilities, as well as expose some high-impact vulnerabilities. Since fuzz testing is automated, it doesn't need to be supervised, it automatically executes the tests with little to no worries. This is a relatively simple and easy way to find vulnerabilities. ”
Despite this, traditional fuzzing still requires a lot of manual work, but with the power of large language models (LLMs), Google's OSS-Fuzz can automate some of the manual processes and significantly improve efficiency.
In a blog post, a member of Google's open source security team wrote: "We wrote project-specific ** using large language models to improve fuzz testing coverage and find more vulnerabilities. "By improving the test coverage of the OSS-Fuzz large language model, the team members successfully discovered two previously unknown CJSON and libplist vulnerabilities, which had been fuzzed for a long time but were previously undetected. They emphasize:
Without the large language model generated, these two vulnerabilities may never have been discovered and fixed.
Fuzz testing is not a substitute for secure design principles
Shane Miller, a senior fellow at the Atlantic Council and advisor to the Rust** Conference, cautions: "Investing in dynamic testing tools, such as fuzzing, is not a substitute for secure design principles, such as choosing a memory-safe programming language. Still, fuzzing is a powerful tool for improving software security. ”
Fuzz testing expands the scope of testing by using unexpected inputs to explore software behavior, revealing vulnerabilities similar to those exploited in recent state-sponsored cyberattacks targeting critical infrastructure such as U.S. water treatment plants, power grids, oil and gas pipelines, and transportation hubs," Miller added.
While fuzzing is beneficial for developers, the manual aspect of fuzzing has been an obstacle for open source project maintainers to effectively fuzz. Google wants to solve this problem by making oss-fuzz available for free. Michael J., CEO, Dark Sky Technology Software Chain Security"Because open source project maintainers are often volunteers and have limited funding, it's not always feasible to spend time and money running resource-intensive tools," Mehlberg said. ”
Mehlberg adds that there are also problems with traditional fuzzing tools that cannot be ignored:
"For example, fuzzing tools can also complicate an otherwise simple development environment, generate a lot of false positives, add review and analysis to already stressed teams, and may even be unable to take action due to lack of cybersecurity skills or experience. ”
AI-driven vulnerability patching
Google provides developers and researchers with guidelines for developing automated patch pipelines using large language models. "This AI-powered approach to patching addresses 15% of targeted vulnerabilities, saving engineers a lot of time," Google security team members wrote in a blog. ”
However, Hinojosa points out that the challenge with automating patching with large language models is that large language models need to have all the necessary contextual knowledge to effectively patch repair without breaking the system. "I think it's safer to have an automated system suggest a fix and then have a human manually review it before implementing it. ”
D**e (Jing) Tian, assistant professor of computer science at Purdue University, added, "The most critical issue in patching efforts is not automation, but security. It turns out that it is very difficult to prove that the patch only does what it is supposed to do, neither more nor less. As a result, there are currently only a few patches that can be automatically injected, and these patches are simple patches, such as changing a 32-bit integer of a variable to a 64-bit integer. For more complex patches, we still need security experts to review AI patches. ”
Conclusion
Google's free and open OSS-Fuzz fuzz testing framework is an important step in using AI to improve software security (tools). While fuzzing and AI-powered patches have shown great potential, human oversight is still critical to ensure security. By combining a new generation of intelligent fuzzing tools with security design practices, developers can dramatically improve the security and resiliency of their software.
Reference Links: