Google is making news this week in developer circles. The search giant has come forward with a software fuzzing tool designed to fuzz open source code.
What is fuzz (testing)?
Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data (called fuzz) to the system in an attempt to make it crash.
If a vulnerability is found, a tool called a fuzz tester (or fuzzer), indicates potential causes.
So then, the beta status Google OSS-Fuzz goal is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution.
According to Google, Recent security stories confirm that errors like buffer overflow and use-after-free can have serious, widespread consequences when they occur in critical open source software. These errors are not only serious, but notoriously difficult to find via routine code audits, even for experienced developers.”
That’s where fuzz testing comes in. By generating random inputs to a given program, fuzzing triggers and helps uncover errors quickly and thoroughly.
OSS-Fuzz combines various fuzzing engines (initially, libFuzzer) with Sanitizers (initially, AddressSanitizer) and provides a massive distributed execution environment powered by ClusterFuzz.
Black Duck on Fuzz
The open source security team at experts Black Duck had plenty to say on Google’s news and contacted Computer Weekly’s Open Source Insider blog to make the following comments…
“OSS-Fuzz is a great new resource for the open source community to improve the quality of components and identify vulnerabilities very early. One outcome of this effort will be to increase user confidence in both open source software development as well as with specific components.”
“OSS-Fuzz potentially could become an essential tool for all open source projects during their development cycles, but will also increase the need for robust management systems. Many (Google) eyes will undoubtedly detect new vulnerabilities in older applications, which will flood the OSS community with new known risks to overcome.”
“Vulnerability reporting is a crucial component of any open source risk management to determine if any component used in the development of a product has disclosed vulnerabilities; even long after the product is released. Open source “consumers” will still need to be vigilant and take ownership of open source vulnerability management for their applications since there are millions of open source components and only a small portion of them will be tested with OSS-Fuzz.”