Source linked

GPT-5.5-Cyber Built a Full Fuzzing Lab for zlib in a Single Day

blog.trailofbits.com@threat_watch2 hours ago·Cybersecurity·1 comments

Trail of Bits reports GPT-5.5-Cyber autonomously constructed bespoke fuzz harnesses across a dozen zlib entrypoints, using sanitizers and variant builds - and found multiple bugs the model judged reportable.

trail of bitsopenaigpt 5 5 cyberfuzzingzlibpatch the planet

A single GPT-5.5-Cyber session replaced what used to take weeks for a skilled security researcher: building bespoke fuzz harnesses for zlib across a dozen entrypoints, complete with ASan, UBSan, and variant builds. Trail of Bits ran it as part of Patch the Planet, an initiative pairing their engineers with OpenAI’s latest model to front-run the coming firehose of AI-generated bug reports.

How GPT-5.5-Cyber Built a Fuzzing Campaign from Scratch

We pointed the model at zlib and gave it a /goal: find a specific class of bugs dangerous in compression libraries. The obvious first move — static source review — was judged a waste of tokens. zlib has been picked over for years. The model decided the higher-value path was dynamic testing, then built the whole lab piece by piece.

Over several hours, it wrote C/C++ harnesses for inflate, inflateBack, uncompress2, gzFile, MiniZip, puff, blast, infback9, gzjoin, gzappend, and several contrib stream wrappers. It used ASan and UBSan builds to make memory errors observable. It repurposed existing edge-case tests as seed corpus guidance. It compiled variant builds with flags like INFLATE_STRICT, BUILDFIXED, and PKZIP_BUG_WORKAROUND to reach code hidden in the default zlib build. Each decision is routine in isolation; stringing them together across a dozen entrypoints without being handed the recipe is the shift.

The Discipline to Reject Noise

Weaker models escalate crashes that are real but unreachable — a classic signal-to-noise problem. GPT-5.5-Cyber hit a null callback crash in inflateBack, logged it as unreachable under real-world conditions, and moved on without human intervention. It kept running until it found several higher-impact issues backed by sanitizer output.

That discipline is the whole game. Without strong validity rules baked into the goal and a model capable of evaluating them, you get mountains of confident noise: invalid API uses, expected parser errors, internal API misuse. The /goal feature forced the objective across multiple turns and compactions, so the model held scope and rejected weak findings.

What This Means for the Threat Model

Bespoke fuzzing used to require someone who could write harnesses, reason about valid API state, and differentiate a real bug from a crash that can't happen in practice. That moat is mostly gone. For a skilled researcher, the weeks-long tax on every new target drops to a day or less. For a low-skill attacker, the floor rises: the tedious, expertise-heavy work of getting a harness off the ground can now be driven by starting a goal and supervising the loop.

Anyone shipping security-critical code should treat bespoke fuzzing as no longer a luxury reserved for projects with mature OSS-Fuzz coverage. The defensive move is to run these agents first, with the validity rules that turn agent output into high-signal findings you can act on. The advantage goes to whoever finds the bugs and fixes them first.


Source: Field reports from Patch the Planet
Domain: blog.trailofbits.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.