Recently, Google has open sourced a fuzzing test infrastructure, ClusterFuzz, which makes it very easy to automate the search and fix bugs in the program.
Fuzzy testing is a method for automating the detection of problems in software by providing unexpected input to the target program. It effectively detects memory corruption errors that can pose serious security risks. Finding these problems manually is difficult and time-consuming, and despite strict code review practices, it is inevitable that some problems will be missed. For software projects written in insecure languages such as C/C++, fuzzing is a key part of ensuring security and stability.
The project team said that in order for the fuzzing to work, it must be continuous, large-scale execution, and integrated into the development of the software project, and in order to provide these features on Chrome, they wrote ClusterFuzz, which is a run Fuzzy test infrastructure on more than 25,000 cores. Two years ago, the team began offering ClusterFuzz as a free service to open source projects via OSS-Fuzz. Today, ClusterFuzz is an open source and available to anyone.
ClusterFuzz provides many features which help seamlessly integrate fuzzing into a software project’s development process:
- Highly scalable. Google’s internal instance runs on over 25,000 machines.
- Accurate deduplication of crashes.
- Fully automatic bug filing and closing for issue trackers (Monorail only for now).
- Testcase minimization.
- Regression finding through bisection.
- Statistics for analyzing fuzzer performance, and crash rates.
- Easy to use web interface for management and viewing crashes.
- Support for coverage guided fuzzing (e.g. libFuzzer and AFL) and blackbox fuzzing.
ClusterFuzz has discovered more than 16,000 bugs in Chrome and more than 11,000 bugs in more than 160 open source projects integrated with OSS-Fuzz. ClusterFuzz is available here.