News

Google Launches Open Source Security Tool in Beta

• By David Ramel
• December 5, 2016

Google wants to make "fuzz testing" -- providing random data inputs to programs -- a standard part of open source development.

To that end, it just launched a beta program for OSS-Fuzz, a project on GitHub. It seeks to help standardize modern fuzzing techniques and combine them with a distributed execution model that can scale as needed.

According to Wikipedia: "Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks."

Google said the technique can be used to ensure popular open source components -- specifically those considered to be critical parts of the global IT infrastructure -- are stable, secure and reliable.

"Recent security stories confirm that errors like buffer overflow and use-after-free can have serious, widespread consequences when they occur in critical open source software," the company said in a recent blog post. "These errors are not only serious, but notoriously difficult to find via routine code audits, even for experienced developers. That's where fuzz testing comes in. By generating random inputs to a given program, fuzzing triggers and helps uncover errors quickly and thoroughly."

OSS-Fuzz will combine different fuzzing engines -- starting with libFuzzer -- and other components in a scalable distributed execution environment leveraging the ClusterFuzz project.

Google said the tool, which will provide continuous fuzz testing for select projects, was developed over a period of years in conjunction with the Core Infrastructure Initiative community.

The company said the project has already discovered some 150 bugs in popular open source projects.

The project is accepting other candidates for the program, with no strict definition of what exactly makes them suitable beyond the guidance that projects be widely used and critical to IT infrastructure.