Security news that informs and inspires

Google Expands Automated OSS-Fuzz Program


In the nearly two years since the project began, Google’s OSS-Fuzz cloud fuzzing platform has identified more than 9,000 bugs in open source software apps. The project has been a success by any measure, and now Google is adding a number of its own internal tools to the fuzzing arsenal.

OSS-Fuzz is a free project that Google started in 2016 as a way to help open source software projects identify bugs and exploitable vulnerabilities that need to be fixed. Many open source projects are run by volunteers and may not have the resources to perform the kind of testing that Google’s program can provide. The project uses a variety of fuzzing engines and it runs on Google’s massive distributed infrastructure, known as ClusterFuzz, which the company built to fuzz its Chrome browser.

The OSS-Fuzz project has dozens of open source projects connected to it, and Google is hooping to expand that number by adding a number of the company’s own internal fuzzing tools to the program.

“In addition to OSS-Fuzz, Google's security team maintains several internal tools for identifying bugs in both Google internal and Open Source code. Until recently, these issues were manually reported to various public bug trackers by our security team and then monitored until they were resolved. Unresolved bugs were eligible for the Patch Rewards Program,” Matt Ruhstaller and Oliver Chang of Google said.

“While this reporting process had some success, it was overly complex. Now, by unifying and automating our fuzzing tools, we have been able to consolidate our processes into a single workflow, based on OSS-Fuzz. Projects integrated with OSS-Fuzz will benefit from being reviewed by both our internal and external fuzzing tools, thereby increasing code coverage and discovering bugs faster.”

Google’s project is unique in a number of respects, particularly in the enormous scale of the infrastructure available to the open source projects involved. Not many, if any, companies can match the resources that Google has at its disposal, and the company is using some of that embarrassment of riches to provide technical support to the open source community.

The OSS-Fuzz project also includes financial support for participating projects, through its rewards program. Projects that integrate with OSS-Fuzz can qualify for rewards of $1,000 to $20,000 to help cover the costs of the integration work. Not every open source project qualifies for the reward, but Google officials said they want to bring in many more projects.

“Our goal is to admit as many OSS projects as possible and ensure that they are continuously fuzzed,” Ruhstaller and Chang said.