And you thought Fuzzilli was a pasta... Google offers up $50k in cloud credits to fuzz the hell out of JavaScript engines

And don't forget the paperwork after, says Chocolate Factory

Google is offering bug hunters thousands of dollars worth of compute time on its cloud to hammer away at JavaScript engines and uncover new security flaws in the software.

The Mountain View ads giant said it will hand folks each up to $5,000 in Google Compute Engine (GCE) credits to conduct fuzzing tests on JS interpreters, earmarking $50,000 total for the program. The grants will go to security bods who can figure out better ways to bombard the software with carefully crafted data in the hope of homing in on exploitable security vulnerabilities, such as heap overflows and function pointer overwrites, that can be subsequently fixed.

Researchers can focus on any of the major JavaScript engines: Safari's JavaScriptCore, Chrome and Edge's v8, or the Firefox Spidermonkey engine. The program is set to run until October 1, 2021, or until the cash runs out. Google's Project Zero hopes this offering will lead to people figuring out more efficient ways to suss out bugs in complex software that pretty much everyone uses every day without breaking the bank.

"JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild zero-day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome," explained Project Zero's Samuel Groß on Thursday. "Unfortunately, fuzzing JavaScript engines to uncover these vulnerabilities is generally quite expensive due to their high complexity and relatively slow processing of input.

As an example of the high cost involved in probing non-trivial code, Groß said the Google Cloud virtual-machine instances used to find about 20 bugs with Google Project Zero's JS engine fuzzer Fuzzilli in 2019 would have set you and I back around $10,000.

"Income from bug bounty programs is uncertain, as there is no guarantee a new approach will also discover new bugs," he added. "Moreover, as any bounty money is paid out only later, researchers need to bear the costs of fuzzing in advance. This likely results in bugs staying unfixed and thus exploitable for longer. This program aims to help solve this problem."

JavaScript code

Not Particularly Mortifying: IEEE eggheads probe npm registry, say JavaScript libs not as insecure as feared


The program isn't entirely new, by the way: it had previously been an academic-only operation, and anyone wanting to get credits to work on better fuzzing had to be part of a university in order to get a grant.

"Submissions are not limited to those in academia or those with a demonstrated track record of success – if you have a good idea in this space, we'd love to hear from you," said Groß. "Incoming submissions will be reviewed by a review board on a regular basis and we aim to respond to every submission within 2 weeks."

That said, Google is placing some conditions on the work. Flaw-finders will have to report any vulnerabilities they find along the way to the affected vendor – be it Apple, Google, Microsoft, or Mozilla – and publish something, such as a blog post, detailing the find, or present it at a conference, within six months of getting the grant. Infosec bods in US-sanctioned countries such as North Korea, Iran, Cuba, and Syria are also out of luck.

Use of Google' Fuzzilli tool is also "encouraged" by the Project Zero team.

Any CVE credits and bug bounty payouts that come along with the fuzzing work can be kept by the finder, though Google is asking that everyone involved make their work open source and share it with the rest of the world. Google also wants its own private report on the work, something Groß says is intended to "make our folks in accounting happy," and ensure that people aren't just taking their free compute time fruitlessly. ®

Keep Reading

Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Patch Tuesday Android, Adobe, SAP, Red Hat join the bug-busting party

Google's home security package flies the Nest, Chocolate Factory pledges software support – for now

In brief Plus: Immigration lawyers for Mountain View breached, SonarQube hack worse than thought, and more

Microsoft emits 83 security fixes – and miscreants are already exploiting one of the vulns in Windows Defender

Patch Tuesday Redmond keeps us hanging with on-premises Exchange flaw still to be fixed

First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugs

In brief Plus: A warning to SharePoint operators

Google contractor HCL America accused of retaliating against unionized techies by shifting US jobs to Poland

Pittsburgh workforce erosion, punitive policies cited in labor complaint

Not just Microsoft: Auth turns out to be a point of failure for Google's cloud, too

Google has a better track record but the same issue: when authentication breaks, everything breaks

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

How do you fix a problem like open-source security? Google has an idea, though constraints may not go down well

'Try telling leaders of libpng, libjpeg-turbo, openssl, ffmpeg etc they can't make "unilateral" changes to their own projects'

Biting the hand that feeds IT © 1998–2021