Skip links

Google urges open source community to fuzz test code

Google’s open source security team says OSS-Fuzz, its community fuzzing service, has helped fix more than 8,000 security vulnerabilities and 26,000 other bugs in open source projects since its 2016 debut.

And the group would like to see open source developers do more fuzzing to make the world a better place, or at least make software a bit more secure. So it’s offering concrete incentives versus exposure points.

Fuzzing, or fuzz testing, is a software testing technique that tries to find bugs by injecting random or semi-random data into software. It was developed by UW-Madison computer science professor Barton Miller in 1989 [PDF]. Miller wanted to understand how noise created by a rainstorm interfered with his dial-up modem connection to a Unix system, and this opened up new areas of research into code analysis.

Google launched OSS-Fuzz in 2016 in response to the Heartbleed vulnerability, a memory buffer overflow flaw that could have been detected by fuzz testing.

“At the time, though, fuzzing was not widely used and was cumbersome for developers, requiring extensive manual effort,” explain Jonathan Metzman and Dongge Liu, from Google’s Open Source Security Team, in a blog post.

OSS-Fuzz currently checks some 700 critical open source projects for bugs and in July spotted a serious flaw in the TinyGLTF project, a library that relies on the C library function wordexp() for file path expansion on untrusted paths from an input file.

“This vulnerability shows that it was possible to inject backticks into the input glTF file format and allow commands to be executed during parsing,” explained Metzman and Liu.

Any project incorporating TinyGLTF as a dependency was potentially vulnerable, so this was a meaningful win for fuzzing.

Metzman and Liu attribute the find to the work their security team undertook last December in response to the Log4Shell vulnerability. That effort led to the development of new sanitizers that could identify bugs capable of being exploited to carry out arbitrary commands in any programming language. One of those sanitizers, SystemSan, is credited with spotting the TinyGLTF bug.

The work has led to proof-of-concept code for spotting problems in JavaScript and Python programs, and, with the help of security firm Code Intelligence, to the creation of sanitizers for various Java-specific issues. According to Metzman and Liu, several deserialization and LDAP injection vulnerabilities have already been found using these tools and are awaiting coordinated disclosure.

Metzman and Liu have encouraged those participating in the open source community to embrace fuzzing and have dangled the prospect of rewards. Those who integrate a new sanitizer in OSS-Fuzz, or a fuzzing engine like Jazzer, that finds at least two previously unidentified vulnerabilities in OSS-Fuzz projects will receive an $11,337 award.

Alternatively, those integrating a new project of sufficient importance into OSS-Fuzz – a large user base and/or be critical to global IT infrastructure – are eligible for awards ranging from $1,000 to $20,000.

“Fuzzing still has a lot of unexplored potential in discovering more classes of vulnerabilities,” conclude Metzman and Liu. ®