One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8370865 |
| Date de publication | 2023-08-16 13:03:58 (vue: 2023-08-16 19:07:08) |
| Titre | Fuzzing à propulsion AI: brisant la barrière de chasse aux insectes AI-Powered Fuzzing: Breaking the Bug Hunting Barrier |
| Texte | Dongge Liu, Jonathan Metzman, Oliver Chang, Google Open Source Security Team Since 2016, OSS-Fuzz has been at the forefront of automated vulnerability discovery for open source projects. Vulnerability discovery is an important part of keeping software supply chains secure, so our team is constantly working to improve OSS-Fuzz. For the last few months, we\'ve tested whether we could boost OSS-Fuzz\'s performance using Google\'s Large Language Models (LLM). This blog post shares our experience of successfully applying the generative power of LLMs to improve the automated vulnerability detection technique known as fuzz testing (“fuzzing”). By using LLMs, we\'re able to increase the code coverage for critical projects using our OSS-Fuzz service without manually writing additional code. Using LLMs is a promising new way to scale security improvements across the over 1,000 projects currently fuzzed by OSS-Fuzz and to remove barriers to future projects adopting fuzzing. LLM-aided fuzzingWe created the OSS-Fuzz service to help open source developers find bugs in their code at scale-especially bugs that indicate security vulnerabilities. After more than six years of running OSS-Fuzz, we now support over 1,000 open source projects with continuous fuzzing, free of charge. As the Heartbleed vulnerability showed us, bugs that could be easily found with automated fuzzing can have devastating effects. For most open source developers, setting up their own fuzzing solution could cost time and resources. With OSS-Fuzz, developers are able to integrate their project for free, automated bug discovery at scale. |
| Envoyé | Oui |
| Condensat | our additionally automating but example learn llm since the this to we 000 2016 2022 3602 able about above across add added adding addition additional addresses adds adopting after aided all allow also any applying are area around associated assured automated automatic automatically average barrier barriers been believe benefits between blog boost breaking bug bugs built but c/c++ can case chains chang change charge closely cloud code collaborating compilation compile comprehensive conducts connects constantly continue continuous cost could cover coverage covered covers created creates critical currently customers cve day detection devastating developers did different discover discovery dongge each easily ecosystems effective effects effort eliminate engineering errors especially evaluates evaluating evaluation even event every everyone example expectation experience experiment extend extending fails feature find finetuning first five fix forefront found framework free from fully functions future fuzz fuzzed fuzzing fuzzing: fuzzingin fuzzingwe gain generate generated generation generative given goal: goals google has have heartbleed help high however hunting identifies identifying implement important improve improvement improvements include:adding includes increase increased increases indicate information infrastructure initial input integrate integrated interventions introspector investment involvement isn its java jonathan keeping known language large last least like likely line little liu llm llms longer look maintainers majority make manual manually mean meaning metzman me”to missed model models months more most need new next not now observes of often oliver onboarding onboards one ongoing only open openssl optimize order oss other out outputs over overall overview: own part parts passes performance personalized pictured portion post potential power powered previously process production project projects promising prompt prompts python randomized recent rediscovered remains remove replicate report required research researchers resources results revised rounds run running runs sample saw scale secure security service set setting several shares showed shown similar six software solution source specific steps successfully suggests supply support takes target targeted targets taught team team since technique term test tested testing tests than them then this: oss though through time tinyxml2 tinyxml2: tool tough towards trying under unit untouched us: use used users using verified volunteers vulnerabilities vulnerability want way went what when whether which who will without work workflow working worth would wouldn write writing years yet zero “fuzzing” “hey |
| Tags | Vulnerability Cloud |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.