Abhishek Arya, being a Software Engineer at Google, is also a member of the Google Chrome Security Team and the creator of ClusterFuzz. Abhishek founded OSS-Fuzz in 2016. Since then, the open-source fuzzing engine has detected over 30 000 bugs in 500 open-source projects.
What Is OSS-Fuzz?
OSS-Fuzz is a free fuzzing platform for the open-source community. It started with three primary goals in mind:
- Finding security vulnerabilities, stability issues, and functional bugs at scale (OSS-Fuzz supports AFL++, HongFuzz, and many more open-source fuzzers).
- Making the platform easy to use for open-source developers and encouraging them to take security testing into their own hands.
- Getting the bugs fixed quickly (OSS-Fuzz has a 90% fix-rate!).
History of OSS-Fuzz
OSS-Fuzz was launched in 2016. Back then, it only supported C/C++ projects. To increase the adoption of the service, Google launched a public reward program. Developers can now receive up to 20 000 USD for integrating their open-source projects into OSS-Fuzz.
In 2019 OSS-Fuzz started expanding to new languages like Golang and Rust support.
Since December 2020, OSS-Fuzz also supports fuzz testing for applications in Python.
Most recently, Google’s Open-Sources Security Team collaborated with Code Intelligence to implement fuzz testing support for Java and other JVM-based languages, like Kotlin, Scala, and Groovy.
In the future, OSS-Fuzz wants to support all existing and active programming languages. So far, OSS-Fuzz already supports Python, Java (and all other JVM-based languages), C/C++, Go, and Rust.
*According to GitHut 2.0 (refers to pull requests)
OSS-Fuzz Found More Than 22 000 Functional Bugs
OSS-Fuzz has been serving the open-source community for a while now. Thus, it has some great results to show. More than 400 open-source projects have been integrated into the OSS-Fuzz service for continuous fuzz testing.
A lot of critical open-source libraries, including curl, TensorFlow, Kubernetes, OpenSSL, etc. – are all getting fuzzed through OSS-Fuzz. To this date, OSS-Fuzz has found more than 6 000 unique security vulnerabilities and over 22 000 functional bugs. Last year, Google even scaled up their infrastructure to 100 000 CPU cores, which helps to fuzz those open-source projects tremendously.
Learn How to Find Your First Bugs With OSS-Fuzz
Open-source developers can now also integrate Java projects into OSS-Fuzz. Since the release of Java support, OSS-Fuzz has already found over 50 bugs in more than 15 popular open-source Java libraries (e.g., owasp/json-sanitizer, apache/pdfbox, fasterXML/jackson). And 8 of the 50 bugs were security-critical, potentially compromising hundreds of other applications that also rely on this software.
But in the end, the success of OSS-Fuzz depends on support from the community. Therefore, we also need your help to onboard your open-source projects in OSS-Fuzz. I strongly believe that we can make open-source software even more secure if we join forces.
This was a short intro, learn how to integrate your open-source project into OSS-Fuzz.
Abhishek Arya is one of the engineers at the Google Open Source Security Team. Being passionate about software security, together with colleagues, he has launched OSS-Fuzz, which is a continuous testing platform for open-source software.