Continuous Fuzzing for all? Google open sources ClusterFuzz bug hunter

By Julia Schmidt
-
Continuous Fuzzing for all? Google open sources ClusterFuzz bug hunter


Google has open sourced ClusterFuzz, a scalable fuzzing infrastructure project that has already helped to get rid of more than 16,000 Chrome bugs.

It is also the tool used for Google’s Oss-Fuzz initiative, which aims at helping maintainers of open source projects get their project as ready to deal with anything users throw at it as possible – an offer over 160 projects have accepted in the last two years. Fuzzing is a sort of testing approach which confronts a system with random inputs to help developers to find security flaws and unexpected behaviour.

ClusterFuzz has been written to offer fuzzing at scale and in a continuous manner, which is why Google claims to have it running on over 25,000 cores for Chrome. There it is integrated into the development workflow and provides users with a web interface for managing and viewing crashes caused during testing. To ensure no issue goes unnoticed, it also includes automatic bug filing and closing for the Monorail issue tracker.

ClusterFuzz offers coverage guided fuzzing with open source projects libFuzzer and AFL, as well as blackbox fuzzing. The former traces the code coverage reached by the input fed into a fuzz target, so that a fuzzing engine can decide which input to modify to maximize coverage. While this works well for self-contained and deterministic targets, another approach is needed for large, slow targets with highly structured input formats.

This is where blackbox fuzzing comes into play, which generates inputs for a target without knowing how the program is implemented. Since the input is either generated from scratch or relies on a static corpus of files as a basis for mutation, the corpus doesn’t grow as it does with coverage guided fuzzing, which might become a bit much when working with large targets.

While ClusterFuzz can be run locally to test core features, quite a few of the project’s functions depend on Google Cloud Services and are therefore disabled for local instances. Local development with the project is supported on Linux and macOS only.

To get ClusterFuzz running you need to have the Google Cloud SDK installed, as well as v2.7 of the Python programming language and Google’s Go. Other dependencies have been bundled into an installation script, which is available for Debian or later and several Ubuntu and macOS versions.

The source code is available via GitHub, where the project is licensed under a Apache License 2.0.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Docker introduces Build Cloud for accelerated local development
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation