OSS-Fuzz – Continuous Fuzzing of Open Source Projects

OSS-Fuzz is an open source project developed by Google in cooperation with the Core Infrastructure Initiative. This framework is running Fuzz testing for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications.

As of January 2020, OSS-Fuzz has found over 16,000 bugs in 250 open source projects.

OSS-Fuzz - Continuous Fuzzing of Open Source Projects
OSS-Fuzz – Continuous Fuzzing of Open Source Projects

The fuzzing testing process is to generate a stream of all kinds of random combinations of data that will be similar to real data (for example, an html page with random tag parameters or images with anomalous headers). If a sequence leads to crash the application or does not correspond to the expected behavior, then such behavior is highly likely to indicate an error or a security vulnerability.

The framework is based on the libFuzzer engine, and AFL fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.

Among the Open Source projects that have already been accepted into the OSS-Fuzz repository for code verification, there are coreutils, util-linux, zlib and libarchive, libxml2, libyaml, BoringSSL and many more.

You can read more about this project and find the list of vulnerability detected over here: https://github.com/google/oss-fuzz

Notify of
Inline Feedbacks
View all comments