And you thought Fuzzilli was a pasta... Google offers up $50k in cloud credits to fuzz the hell out of JavaScript engines

And don't forget the paperwork after, says Chocolate Factory

8 Reg comments Got Tips?

Google is offering bug hunters thousands of dollars worth of compute time on its cloud to hammer away at JavaScript engines and uncover new security flaws in the software.

The Mountain View ads giant said it will hand folks each up to $5,000 in Google Compute Engine (GCE) credits to conduct fuzzing tests on JS interpreters, earmarking $50,000 total for the program. The grants will go to security bods who can figure out better ways to bombard the software with carefully crafted data in the hope of homing in on exploitable security vulnerabilities, such as heap overflows and function pointer overwrites, that can be subsequently fixed.

Researchers can focus on any of the major JavaScript engines: Safari's JavaScriptCore, Chrome and Edge's v8, or the Firefox Spidermonkey engine. The program is set to run until October 1, 2021, or until the cash runs out. Google's Project Zero hopes this offering will lead to people figuring out more efficient ways to suss out bugs in complex software that pretty much everyone uses every day without breaking the bank.

"JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild zero-day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome," explained Project Zero's Samuel Groß on Thursday. "Unfortunately, fuzzing JavaScript engines to uncover these vulnerabilities is generally quite expensive due to their high complexity and relatively slow processing of input.

As an example of the high cost involved in probing non-trivial code, Groß said the Google Cloud virtual-machine instances used to find about 20 bugs with Google Project Zero's JS engine fuzzer Fuzzilli in 2019 would have set you and I back around $10,000.

"Income from bug bounty programs is uncertain, as there is no guarantee a new approach will also discover new bugs," he added. "Moreover, as any bounty money is paid out only later, researchers need to bear the costs of fuzzing in advance. This likely results in bugs staying unfixed and thus exploitable for longer. This program aims to help solve this problem."

JavaScript code

Not Particularly Mortifying: IEEE eggheads probe npm registry, say JavaScript libs not as insecure as feared


The program isn't entirely new, by the way: it had previously been an academic-only operation, and anyone wanting to get credits to work on better fuzzing had to be part of a university in order to get a grant.

"Submissions are not limited to those in academia or those with a demonstrated track record of success – if you have a good idea in this space, we'd love to hear from you," said Groß. "Incoming submissions will be reviewed by a review board on a regular basis and we aim to respond to every submission within 2 weeks."

That said, Google is placing some conditions on the work. Flaw-finders will have to report any vulnerabilities they find along the way to the affected vendor – be it Apple, Google, Microsoft, or Mozilla – and publish something, such as a blog post, detailing the find, or present it at a conference, within six months of getting the grant. Infosec bods in US-sanctioned countries such as North Korea, Iran, Cuba, and Syria are also out of luck.

Use of Google' Fuzzilli tool is also "encouraged" by the Project Zero team.

Any CVE credits and bug bounty payouts that come along with the fuzzing work can be kept by the finder, though Google is asking that everyone involved make their work open source and share it with the rest of the world. Google also wants its own private report on the work, something Groß says is intended to "make our folks in accounting happy," and ensure that people aren't just taking their free compute time fruitlessly. ®


Keep Reading

First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugs

In brief Plus: A warning to SharePoint operators

Google contractor HCL America accused of retaliating against unionized techies by shifting US jobs to Poland

Pittsburgh workforce erosion, punitive policies cited in labor complaint

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

Microsoft will adopt Google Chrome's controversial Manifest V3 in Edge

Thought Microsoft would resist Google's ad-friendly tweaks to the browser extension API? Think again

Microsoft reprieves SHA-1 deprecation in Edge 85 security baseline

Wait! What? Aaah ... legacy systems strike again, but won't get another bite

Alarming news: ADT to flog Nest smart home kit after Google ploughs $450m into corporate security dinosaur

Resell agreement set up amid plans to build next gen of home automation and security gear

Microsoft will release a web browser for Linux next month. Repeat, Microsoft will release a browser for Linux – and it uses Google's technology

Ignite This means Linus Torvalds has definitely won, doesn't it?

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

Biting the hand that feeds IT © 1998–2020