For a while now, Google's Chrome team has had a fuzzing tool to help them find bugs in the browser before bounty hunters do. Now, Mountain View has decided the same techniques can be applied to open source software in general.
The company's emitted the first generalised version of its OSS-fuzz software at GitHub.
A quick primer: fuzzing involves sending random data at a piece of software to crash it and capturing the conditions at the time of the crash.
Chrome's in-process fuzzing is described in this blog post, in which security engineer Max Moroz introduced libFuzzer.
libFuzzer attacked individual components of Chrome, sending the random data directly to the API. It's a coverage-guided fuzzer, meaning it measures “code coverage for every input, and accumulate test cases that increase overall coverage”.
Guided coverage is also what Mountain View wants to offer for the world of open source software.
Described as in an “early stage”, the authors say their current focus is on libFuzzer, with documentation teaching users how to:
- Add fuzzing to an open source project:
- How to build and run fuzzers into a target source code repo; and
- Build and run external fuzzers.
Fuzzers have so far been https://github.com/google/oss-fuzz/blob/master/docs/projects.md added to BoringSSL, the the Expat XML parser, FreeType 2, LibChewing (a Chinese phonetic input library), Libpng, LibXML2, the RE2 regular expression engine, SQLite, and the TPM2 library. ®