Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Launches OSS-Fuzz Open Source Fuzzing Service

Just two months after Microsoft announced its Project Springfield code fuzzing service, Google has launched the beta of its own OSS-Fuzz. The purpose in both cases is to help developers locate the bugs that eventually lead to breaches. But the services, like the two organizations, are very different: one is paid for while the other is free; one is proprietary while the other is open source.

Just two months after Microsoft announced its Project Springfield code fuzzing service, Google has launched the beta of its own OSS-Fuzz. The purpose in both cases is to help developers locate the bugs that eventually lead to breaches. But the services, like the two organizations, are very different: one is paid for while the other is free; one is proprietary while the other is open source.

Google describes OSS-Fuzz as ‘continuous fuzzing for open source software’. “OSS-Fuzz’s goal,” wrote the development team in Google’s Testing Blog yesterday, “is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution. OSS-Fuzz combines various fuzzing engines (initially, libFuzzer) with Sanitizers (initially, AddressSanitizer) and provides a massive distributed execution environment powered by ClusterFuzz.”

It fills a gap left by Project Springfield. Since the Microsoft fuzzing service is a commercial product, it can only be used by customers willing to pay for it. This does not exclude open source developers, but it is noticeable that it is specifically marketed at business customers: suitable for testing in-house software, software acquired through M&A, and even third-party software being considered for purchase.

Google notes that “Open source software is the backbone of the many apps, sites, services, and networked things that make up ‘the internet’…  An example is the FreeType library, which is used on over a billion devices to display text (and which might even be rendering the characters you are reading now).” It is important that such software is bug free and secure. “Recently the FreeType fuzzer found a new heap buffer overflow only a few hours after the source change.”

The ‘continuous’ nature of the service solves another problem: open source software may have multiple maintainers applying software changes almost on an ongoing basis. “OSS-Fuzz automatically notified the maintainer, who fixed the bug,” announced Google; “then OSS-Fuzz automatically confirmed the fix. All in one day!”

There is no suggestion that either Google’s or Microsoft’s service is better than the other — they are different methods serving different purposes. “The OSS-Fuzz effort,” said HD Moore, the Metasploit founder now with Special Circumstances LLC, “can be compared to the Coverity program for open source projects; a way to apply commercial-level resources to improving the security of critical open source programs and libraries. 

“Project Springfield seems a bit different,” he continued, “in that it focuses on providing a for pay service for all developers, not just open source projects. Google as a company has already made significant contributions to this space through their employee work on open source tools (AFL, etc) and this effort seems very much in that vein.”

For now, the Google beta is only accepting open source projects that have either a large user base and/or are critical to global IT infrastructure. The implication, although not stated categorically, is that this will change. “With your help, we can make fuzzing a standard part of open source development, and work with the broader community of developers and security testers to ensure that bugs in critical open source applications, libraries, and APIs are discovered and fixed.”

Advertisement. Scroll to continue reading.

Robin Wood is an independent pentester and security tool developer. He’s not sure OSS-Fuzz will eventually be open to anyone. “The Google tool seems a little more limited in the scope of who can use it; it says the project has to have a large user base or be critical to global IT where the Microsoft tool suggests anyone can use it but it will charge,” he told SecurityWeek. “As Google is picking up the tab I can understand why they cap it; so not really a criticism.”

He does, however, believe that Google is taking the right approach. “The MS tool uses software they have created in house whereas the Google tool uses external frameworks and sounds like it can be expanded to use multiple different ones; this would give it more flexibility. Despite trying to be the same, each tool will have its own idiosyncrasies which will make it better in some areas than others.”

Moore added, OSS-Fuzz “seems like a great way to support the open source community and goes beyond what other firms are doing in this space.”

Wood likes both Project Springfield and OSS-Fuzz. “Once things are stable it would be interesting to see a fuzz-off between the two to see what they find. But whichever ends up being considered ‘better’, if I had the opportunity, then I would run my software through both just to be sure.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.