Pushing state of the art even further!

Introducing OSS-Fuzz/ClusterFuzzLite integrations using LLMs! Exciting new work that combines LLMs with program analysis tooling (Fuzz Introspector) to synthesize harnesses. It's all open source as well!

We had double digit vulnerability coverage increase for 3p libraries, thanks to the commit hash scanning feature in #OSV for vendored C/C++ dependencies (and not have to rely on buggy CPEs). You should use it too osv.dev/blog/posts/int…

Very excited that Ubuntu now officially supports the OSV format! openssf.org/blog/2024/06/1…

The DARPA #AIxCC will help design new #AI systems to secure major open source projects that our critical infrastructure relies upon. Learn how Google's OSS-Fuzz can show opportunities where AI can help find and patch vulnerabilities for the challenge: security.googleblog.com/2024/06/hackin…

OSTIF worked with ADA Logics to complete audits on 3 Apache Commons libraries (IO, Lang, and Codec)! This effort was made possible though the support of Apache - The ASF and funding by Amazon Web Services. Read about the engagement's impact on the JDK libraries at ostif.org/apachec-audit-…

The deadline for DARPA #AIxCC is just a week away. I am beyond excited on what participants will accomplish to push the state of the art in vuln finding and fixing using #Gemini! With #Gemini 1.5 Pro and 1M context window, we see early promising results in vulnerability analysis

Thanks to ADA Logics for doing a security audit recently for Minder! They analyzed our threat model and vulnerable code patterns, so that we can make Minder even more secure. stacklok.com/blog/securing-… #cybersecurity

Exciting work on Java fuzzing and auto harnessing for OSS-Fuzz projects! All is open source as well on OSS-Fuzz-gen's repo

LLM-generated harnesses finding issues in extensively fuzzed software!

Sharing slides and video for my keynote at OSS EU'24: "Securing the software commons: Standards, Automation, and AI for a Resilient Open Source Future" Slides: drive.google.com/file/d/186iq3Y… Video: youtube.com/watch?v=NwI2Mk…

OSS-Fuzz-gen uses #LLMs for #fuzzing auto-harnessing, bug triaging and more. So far, real harnesses and real bugs on real projects. I made a short introduction video that shows the full OSS-Fuzz-gen workflow on a sample project youtube.com/watch?v=RR7CUy…

One week later the bug count is now at 25 bugs total (github.com/google/oss-fuz…) There's still many improvements to be made to improve success rate of generated targets, but we now have the problem of too many crashes to triage. Automating this will a focus of our future research.

Our LLM work has found an out-of-bounds read in OpenSSL!

Auto-harnessing by way of LLM finds issue in OpenSSL! Pretty cool! All the infra is open source as well github.com/google/oss-fuz… !

New blog post about OSS-Fuzz AI-powered fuzzing is live! We talk about what went into making LLMs work well enough for this use case to find 26 new vulnerabilities (including a CVE in OpenSSL), as well as what else we have planned to make this better. security.googleblog.com/2024/11/leveli…

#Fuzzing harnesses generated using #LLMs uncover 26 new vulns and a CVE in #OpenSSL! Super interesting direction for the intersection of AI and security -- lot's more to uncover as well! It's open source too: github.com/google/oss-fuz…

"Fuzz Introspector: enabling rapid fuzz introspection tool development" -- a new blog post on Fuzz Introspector and how it is moving into supporting analysis as a pure python library. adalogics.com/blog/fuzz-intr… Also, follow me bluesky: bsky.app/profile/davkor… #fuzzing

Auto generating #fuzzing harnesses by way of program analysis and #LLMs! New blog post "Minimal LLM-based fuzz harness generator": adalogics.com/blog/minimal-l… We show how you can generate a sophisticated fuzz harness synthesis tool with a few lines of code.

Automating OSS-Fuzz integrations with an agentic approach to build generation blog.oss-fuzz.com/posts/oss-fuzz… #Fuzzing at scale needs a solution for build script generation and an LLM-based agentic approach looks promising. It naturally works well with OFGs harness gen capabilities 🤟