Continuous Fuzzing for all? Google open sources ClusterFuzz bug hunter

Continuous Fuzzing for all? Google open sources ClusterFuzz bug hunter

Google has open sourced ClusterFuzz, a scalable fuzzing infrastructure project that has already helped to get rid of more than 16,000 Chrome bugs.

It is also the tool used for Google’s Oss-Fuzz initiative, which aims at helping maintainers of open source projects get their project as ready to deal with anything users throw at it as possible – an offer over 160 projects have accepted in the last two years. Fuzzing is a sort of testing approach which confronts a system with random inputs to help developers to find security flaws and unexpected behaviour.

ClusterFuzz has been written to offer fuzzing at scale and in a continuous manner, which is why Google claims to have it running on over 25,000 cores for Chrome. There it is integrated into the development workflow and provides users with a web interface for managing and viewing crashes caused during testing. To ensure no issue goes unnoticed, it also includes automatic bug filing and closing for the Monorail issue tracker.

ClusterFuzz offers coverage guided fuzzing with open source projects libFuzzer and AFL, as well as blackbox fuzzing. The former traces the code coverage reached by the input fed into a fuzz target, so that a fuzzing engine can decide which input to modify to maximize coverage. While this works well for self-contained and deterministic targets, another approach is needed for large, slow targets with highly structured input formats.

This is where blackbox fuzzing comes into play, which generates inputs for a target without knowing how the program is implemented. Since the input is either generated from scratch or relies on a static corpus of files as a basis for mutation, the corpus doesn’t grow as it does with coverage guided fuzzing, which might become a bit much when working with large targets.

While ClusterFuzz can be run locally to test core features, quite a few of the project’s functions depend on Google Cloud Services and are therefore disabled for local instances. Local development with the project is supported on Linux and macOS only.

To get ClusterFuzz running you need to have the Google Cloud SDK installed, as well as v2.7 of the Python programming language and Google’s Go. Other dependencies have been bundled into an installation script, which is available for Debian or later and several Ubuntu and macOS versions.

The source code is available via GitHub, where the project is licensed under a Apache License 2.0.