Just two months after Microsoft announced its Project Springfield code fuzzing service, Google has launched the beta of its own OSS-Fuzz. The purpose in both cases is to help developers locate the bugs that eventually lead to breaches. But the services, like the two organizations, are very different: one is paid for while the other is free; one is proprietary while the other is open source.
Google describes OSS-Fuzz as ‘continuous fuzzing for open source software’. “OSS-Fuzz’s goal,” wrote the development team in Google’s Testing Blog yesterday, “is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution. OSS-Fuzz combines various fuzzing engines (initially, libFuzzer) with Sanitizers (initially, AddressSanitizer) and provides a massive distributed execution environment powered by ClusterFuzz.”
It fills a gap left by Project Springfield. Since the Microsoft fuzzing service is a commercial product, it can only be used by customers willing to pay for it. This does not exclude open source developers, but it is noticeable that it is specifically marketed at business customers: suitable for testing in-house software, software acquired through M&A, and even third-party software being considered for purchase.
Google notes that “Open source software is the backbone of the many apps, sites, services, and networked things that make up ‘the internet’… An example is the FreeType library, which is used on over a billion devices to display text (and which might even be rendering the characters you are reading now).” It is important that such software is bug free and secure. “Recently the FreeType fuzzer found a new heap buffer overflow only a few hours after the source change.”
The ‘continuous’ nature of the service solves another problem: open source software may have multiple maintainers applying software changes almost on an ongoing basis. “OSS-Fuzz automatically notified the maintainer, who fixed the bug,” announced Google; “then OSS-Fuzz automatically confirmed the fix. All in one day!”
There is no suggestion that either Google’s or Microsoft’s service is better than the other — they are different methods serving different purposes. “The OSS-Fuzz effort,” said HD Moore, the Metasploit founder now with Special Circumstances LLC, “can be compared to the Coverity program for open source projects; a way to apply commercial-level resources to improving the security of critical open source programs and libraries.
“Project Springfield seems a bit different,” he continued, “in that it focuses on providing a for pay service for all developers, not just open source projects. Google as a company has already made significant contributions to this space through their employee work on open source tools (AFL, etc) and this effort seems very much in that vein.”
For now, the Google beta is only accepting open source projects that have either a large user base and/or are critical to global IT infrastructure. The implication, although not stated categorically, is that this will change. “With your help, we can make fuzzing a standard part of open source development, and work with the broader community of developers and security testers to ensure that bugs in critical open source applications, libraries, and APIs are discovered and fixed.”
Robin Wood is an independent pentester and security tool developer. He’s not sure OSS-Fuzz will eventually be open to anyone. “The Google tool seems a little more limited in the scope of who can use it; it says the project has to have a large user base or be critical to global IT where the Microsoft tool suggests anyone can use it but it will charge,” he told SecurityWeek. “As Google is picking up the tab I can understand why they cap it; so not really a criticism.”
He does, however, believe that Google is taking the right approach. “The MS tool uses software they have created in house whereas the Google tool uses external frameworks and sounds like it can be expanded to use multiple different ones; this would give it more flexibility. Despite trying to be the same, each tool will have its own idiosyncrasies which will make it better in some areas than others.”
Moore added, OSS-Fuzz “seems like a great way to support the open source community and goes beyond what other firms are doing in this space.”
Wood likes both Project Springfield and OSS-Fuzz. “Once things are stable it would be interesting to see a fuzz-off between the two to see what they find. But whichever ends up being considered ‘better’, if I had the opportunity, then I would run my software through both just to be sure.”