Google Fuzz Project Finding Bugs

Wednesday, May 10, 2017 @ 09:05 AM gHale

With software being a vital factor in any system, any kind of flaw can end up having the potential to becoming a security disaster.

That is especially the case for the open source foundation of apps, sites, services, and networked things.

Car Dongle Engine Stopping Flaw Fixed
Tesla Fixes Gateway ECU Issue
Drawing Up Plans for Auto Security
Black Hat: Hacking a Car, Again

Along those lines, over the last five months, Google’s OSS-Fuzz program found more than 1,000 bugs in 47 open source software projects.

Launched in December, the mission of OSS-Fuzz is to provide continuous fuzzing for select core open source software.

“OSS-Fuzz’s goal is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution,” Google said in a blog post when the project first started.

“OSS-Fuzz combines various fuzzing engines (initially, libFuzzer) with Sanitizers (initially, AddressSanitizer) and provides a massive distributed execution environment powered by ClusterFuzz.”

To date OSS-Fuzz discovered 264 potential security vulnerabilities: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark.

“Fuzzing not only finds memory safety related bugs, it can also find correctness or logic bugs,” Google’s engineers said in a blog post at the five-month mark.

“Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, before any users are affected.”

Google wants even more open source projects to reap the benefit of fuzzing, and has put out a call for more projects to participate in the program. This time, though, there’s added incentive.

“Combined with fixing all the issues that are found, this is often a significant amount of work for developers who may be working on an open source project in their spare time. To support these projects, we are expanding our existing Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz,” Google said.

For now, only software projects that have large user base and/or are critical to global IT infrastructure need apply. Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration.

Leave a Reply

You must be logged in to post a comment.