By Mike Aizatsky, Kostya Serebryany (Software Engineers, Dynamic Tools); Oliver Chang, Abhishek Arya (Security Engineers, Google Chrome); and Meredith Whittaker (Open Research Lead). We are happy to announce OSS-Fuzz , a new Beta program
developed over the past years with the Core Infrastructure Initiative community . This program will provide
continuous fuzzing for select core open source software.
Recent security stories
confirm that errors like
buffer overflow and
use-after-free can have serious, widespread consequences when they occur in
critical open source software. These errors are not only serious, but
notoriously difficult to find via routine code audits, even for experienced
developers. That's where
fuzz testing comes in. By generating random inputs to a given program,
fuzzing triggers and helps uncover errors quickly and thoroughly.
AFL and libFuzzer ), and we use them to fuzz
various components of the Chrome browser . These fuzzers, when combined with
Sanitizers , can help find
security vulnerabilities (e.g. buffer overflows, use-after-free, bad casts,
integer overflows, etc), stability bugs (e.g. null dereferences, memory leaks,
out-of-memory, assertion failures, etc) and sometimes
even logical bugs.
AddressSanitizer )
and provides a massive distributed execution environment powered by ClusterFuzz .
Early successes
Our initial trials with OSS-Fuzz have had good results. An example is the FreeType library, which is used on over a
billion devices to
display text (and which might even be rendering the characters you are reading
now). It is important for FreeType to be stable and secure in an age when fonts
are loaded over the Internet. Werner Lemberg, one of the FreeType developers, was
an early adopter of OSS-Fuzz. Recently the FreeType
fuzzer found a new heap buffer
overflow only a few hours after the source change:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000ffa
READ of size 2 at 0x615000000ffa thread T0
SCARINESS: 24 (2-byte-read-heap-buffer-overflow-far-from-bounds)
#0 0x885e06 in tt_face_vary_cvtsrc/truetype/ttgxvar.c:1556:31
notified
the maintainer, who
fixed the bug; then OSS-Fuzz automatically
confirmed the fix. All in one day! You can see the full
list of fixed and disclosed bugs found by OSS-Fuzz so far.
Contributions and feedback are welcome
OSS-Fuzz has already found 150
bugs projects (and
churns ~4 trillion test cases a week). With your help, we can
make fuzzing a standard part of open source development, and work with the
broader community of developers and security testers to ensure that bugs in
critical open source applications, libraries, and APIs are discovered and fixed.
We believe that this approach to automated security testing will result in real
improvements to the security and stability of open source software.
here .
tracker (see details
here ).
This matches industry's best
practices and improves end-user security and stability by getting patches to
users faster.
GitHub .
Android, even if only the AOSP part, is probably a great candidate for the "eat your own dog food" exercise.
ReplyDelete+1
Delete+1
Delete+2
ReplyDeleteI remember using a tool called BoundsChecker on Windows 3.1 apps. It would intercept all API calls looking for issues, in particular looking for the proper freeing of Windows handles and memory.
ReplyDeleteI wonder a similar principle could be applied to monitor how the low level libraries are used? The great thing about it was its ease of use.