Short Intro to OSS-Fuzz

April 16 2021 | 3 min

Abhishek Arya, who is currently Principal Software Engineer at Google, is one of the early members of the Google Chrome Security Team and the founder of ClusterFuzz. Together with his team, he launched OSS-Fuzz back in 2016. Since then, the open-source fuzzing engine has found over 28 000 bugs in more than 400 open-source projects.

What Is OSS-Fuzz?

OSS-Fuzz is a free fuzzing platform for the open-source community. It started with three primary goals in mind:

  1. Finding security vulnerabilities, stability issues, and functional bugs at scale (OSS-Fuzz supports AFL++, HongFuzz, and many more open-source fuzzers).

  2. Making the platform easy to use for open-source developers and encouraging them to take security testing into their own hands.

  3. Getting the bugs fixed quickly (OSS-Fuzz has a 90% fix-rate!).

History of OSS-Fuzz

  • OSS-Fuzz was launched in 2016. Back then, it only supported C/C++ projects. To increase the adoption of the service, Google launched a public reward program. Developers can now receive up to 20 000 USD for integrating their open-source projects into OSS-Fuzz. 

  • In 2019 OSS-Fuzz started expanding to new languages like Golang and Rust support. 

  • In early 2020, the OSS team started FuzzBench as a service that allowed fuzzing research to be evaluated at scale. AFL++, for example, emerged from regular experimentation from FuzzBench. 

  • Since December 2020, OSS-Fuzz also supports fuzz testing for applications in Python.

  • Most recently, Google’s Open-Sources Security Team collaborated with Code Intelligence to implement fuzz testing support for Java and other JVM-based languages, like Kotlin, Scala, and Groovy.

What languages does OSS-Fuzz support?

In the future, OSS-Fuzz wants to support all existing and active programming languages. So far, OSS-Fuzz already supports Python, Java (and all other JVM-based languages), C/C++, Go, and Rust.
*According to GitHut 2.0 (refers to pull requests)

OSS-Fuzz Found More Than 22 000 Functional Bugs

OSS-Fuzz has been serving the open-source community for a while now. Thus, it has some great results to show. More than 400 open-source projects have been integrated into the OSS-Fuzz service for continuous fuzz testing.

A lot of critical open-source libraries, including curl, TensorFlow, Kubernetes, OpenSSL, etc. are all getting fuzzed through OSS-Fuzz. To this date, OSS-Fuzz has found more than 6 000 unique security vulnerabilities and over 22 000 functional bugs. Last year, Google even scaled up their infrastructure to 100 000 CPU cores, which helps to fuzz those open-source projects tremendously.

In this talk, Abhishek (OSS-Fuzz) and Fabian (Jazzer) discuss the scope of open-source fuzzing with OSS-Fuzz and their joint efforts on the integration of Java fuzzing into OSS-Fuzz.

Event Recap

Learn How to Find Your First Bugs With OSS-Fuzz

Open-source developers can now also integrate Java projects into OSS-Fuzz. Since the release of Java support, OSS-Fuzz has already found over 50 bugs in more than 15 popular open-source Java libraries (e.g., owasp/json-sanitizer, apache/pdfbox, fasterXML/jackson). And 8 of the 50 bugs were security-critical, potentially compromising hundreds of other applications that also rely on this software.

But in the end, the success of OSS-Fuzz depends on support from the community. Therefore, we also need your help to onboard your open-source projects in OSS-Fuzz. I strongly believe that we can make open-source software even more secure if we join forces.

This was a short intro, learn how to integrate your open-source project into OSS-Fuzz.


Sign Up With GitHub

abhishek_arya_full (1)

About Abhishek

Abhishek Arya is one of the engineers at the Google Open Source Security Team. Being passionate about software security, together with colleagues, he has launched OSS-Fuzz, which is a continuous testing platform for open-source software.

Recent Posts

One Year of Fuzzing and Fixing Suricata

Autofuzz: Fuzzing Without Writing Fuzz Targets or Harnesses

Fuzzing 101 – The Basics (FAQ)

19 Bugs in Jsoup Found With Jazzer

Share Article

Subscribe to updates