Skip to content
Abhishek Arya 4 min read

Short Intro to OSS-Fuzz

Abhishek Arya, being a Software Engineer at Google, is also a member of the Google Chrome Security Team and the creator of ClusterFuzz. Abhishek founded OSS-Fuzz in 2016. Since then, the open-source fuzzing engine has detected over 30 000 bugs in 500 open-source projects.

What Is OSS-Fuzz?

OSS-Fuzz is a free fuzzing platform for the open-source community. It started with three primary goals in mind:

  • Finding security vulnerabilities, stability issues, and functional bugs at scale (OSS-Fuzz supports AFL++, HongFuzz, and many more open-source fuzzers).
  • Making the platform easy to use for open-source developers and encouraging them to take security testing into their own hands.
  • Getting the bugs fixed quickly (OSS-Fuzz has a 90% fix-rate!).

History of OSS-Fuzz

  • OSS-Fuzz was launched in 2016. Back then, it only supported C/C++ projects. To increase the adoption of the service, Google launched a public reward program. Developers can now receive up to 20 000 USD for integrating their open-source projects into OSS-Fuzz. 

  • In 2019 OSS-Fuzz started expanding to new languages like Golang and Rust support. 

  • In early 2020, the OSS team started FuzzBench as a service that allowed fuzzing research to be evaluated at scale. AFL++, for example, emerged from regular experimentation from FuzzBench. 

  • Since December 2020, OSS-Fuzz also supports fuzz testing for applications in Python.

  • Most recently, Google’s Open-Sources Security Team collaborated with Code Intelligence to implement fuzz testing support for Java and other JVM-based languages, like Kotlin, Scala, and Groovy.

What languages does OSS-Fuzz support?

In the future, OSS-Fuzz wants to support all existing and active programming languages. So far, OSS-Fuzz already supports Python, Java (and all other JVM-based languages), C/C++, Go, and Rust.
*According to GitHut 2.0 (refers to pull requests)

OSS-Fuzz Found More Than 22 000 Functional Bugs

OSS-Fuzz has been serving the open-source community for a while now. Thus, it has some great results to show. More than 400 open-source projects have been integrated into the OSS-Fuzz service for continuous fuzz testing.

A lot of critical open-source libraries, including curl, TensorFlow, Kubernetes, OpenSSL, etc. are all getting fuzzed through OSS-Fuzz. To this date, OSS-Fuzz has found more than 6 000 unique security vulnerabilities and over 22 000 functional bugs. Last year, Google even scaled up their infrastructure to 100 000 CPU cores, which helps to fuzz those open-source projects tremendously.

In this talk, Abhishek (OSS-Fuzz) and Fabian (Jazzer) discuss the scope of open-source fuzzing with OSS-Fuzz and their joint efforts on the integration of Java fuzzing into OSS-Fuzz.

Event Recap

Learn How to Find Your First Bugs With OSS-Fuzz

Open-source developers can now also integrate Java projects into OSS-Fuzz. Since the release of Java support, OSS-Fuzz has already found over 50 bugs in more than 15 popular open-source Java libraries (e.g., owasp/json-sanitizer, apache/pdfbox, fasterXML/jackson). And 8 of the 50 bugs were security-critical, potentially compromising hundreds of other applications that also rely on this software.

But in the end, the success of OSS-Fuzz depends on support from the community. Therefore, we also need your help to onboard your open-source projects in OSS-Fuzz. I strongly believe that we can make open-source software even more secure if we join forces.

This was a short intro, learn how to integrate your open-source project into OSS-Fuzz.


Sign Up With GitHub

abhishek_arya_full (1)

About Abhishek

Abhishek Arya is one of the engineers at the Google Open Source Security Team. Being passionate about software security, together with colleagues, he has launched OSS-Fuzz, which is a continuous testing platform for open-source software.