Fuzzing (or random data checking) is a technique for testing software. The idea is to inject random data into the input of a program. If the program fails (e.g. by crashing or generating an error), there are flaws to fix.
It is effective in detecting memory corruption errors that often have serious security consequences. Manually searching for these problems is both difficult and time-consuming, and errors creep in despite rigorous code review practices.
In December 2016, Google launched OSS-Fuzz to encourage more open source developers to use the fuzzing techniques Google allegedly used to identify hundreds of security and stability issues in Chrome.
“The goal of OSS-Fuzz is to make the common software infrastructure more secure and stable by combining advanced fuzzing techniques with scalable distributed execution. OSS-Fuzz combines various fuzzing engines (initially libFuzzer) with sanitizers (initially AddressSanitizer) and provides a massively distributed execution environment with ClusterFuzz,” explained Google engineers.
In May 2017, Google stated that the automated bot army that manages OSS-Fuzz so that potential bugs or vulnerabilities are detected quickly and easily for security experts, processes 10 trillion test entries per day and has found 1000 vulnerabilities, including 264 potential security vulnerabilities, in 47 open source projects over the past five months, Google said. These vulnerabilities include 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC and 7 in Wireshark.
Among the bugs and potential security issues discovered are buffer overflow problems, UAF vulnerabilities (especially the attempt to access memory after release), stack overflows and data leaks. However, fuzzing does not only focus on memory problems and e.g. logical errors. As an example of the latter, Google mentioned a propagation error in OpenSSL (CVE-2017-3732).
Google found that OSS-Fuzz reported more than 300 timeout and out-of-memory errors (75% of which were fixed). “Not all projects treat them like bugs, but by fixing these bugs, OSS-Fuzz can find more interesting bugs,” the researchers noted.
Google announces the availability of ClusterFuzz in Open Source
For software projects written in an unsecured language such as C or C++, fuzzing is a critical element in ensuring their security and stability. For fuzzing to be truly effective, it must be continuous, large-scale, and integrated into the development process of a software project. To make these features available to Chrome, we wrote ClusterFuzz, a fuzzing infrastructure that runs on more than 25,000 cores. For two years now we have been offering ClusterFuzz as a free service for open source projects via OSS-Fuzz.
Today we announce that ClusterFuzz is now open source and accessible to everyone
Google says it has been developing ClusterFuzz for eight years to seamlessly integrate into development processes and simplify the task of finding and fixing bugs. ClusterFuzz provides end-to-end automation, from error detection and sorting (accurate deduplication, bissection) to error reporting and automatic closing of error reports.
ClusterFuzz has detected more than 16,000 errors in Chrome and more than 11,000 errors in more than 160 open source projects integrated into OSS-Fuzz. It is an integral part of the Chrome development process and many other open source projects. According to Google, ClusterFuzz is often able to detect bugs within hours of their introduction and check the patch in one day.