Google’s OSS-Fuzz Tool Helps Secure Open Source Projects

313

At the end of last year, Google announced OSS-Fuzz, an open source threat detection tool focused on making open source applications and platforms more secure and stable. The tool itself is open and available on GitHub, and there are now solid numbers showing that this security tool has made a remarkable difference for some well-known open source projects.

By the Numbers

According to Google developers, Fuzz has found more than 1,000 bugs (264 of which are potential security vulnerabilities) in widely used open source projects, some of them major. The bugs have been uncovered in projects ranging from LibreOffice to WireShark, and Google notes the following:

We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process. To this end, we’d like to encourage more projects to participate and adopt the ideal integration guidelines that we’ve established.”

Once an open source project is integrated with OSS-Fuzz, it does continuous and automated scanning so that it can reveal problems only hours after changes go into an upstream repository, before any users are affected.

Google reports: “OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801).”

OSS-Fuzz’s utility is not limited to security, either. It has reported over 300 timeout and out-of-memory failures (75% of which got fixed, according to Google). While not every project treats these as bugs, fixing them improves performance and stability.

A Rewards Program

Google also announced that it is expanding its existing Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz. To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure. Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration (the final amount is at Google’s discretion). Project leaders have the option of donating these rewards to charity instead, and Google will double the amount.

To qualify for the ideal integration reward, projects must show that:

  • Fuzz targets are checked into their upstream repository and integrated in the build system with sanitizer support (up to $5,000).

  • Fuzz targets are efficient and provide good code coverage (>80%) (up to $5,000).

  • Fuzz targets are part of the official upstream development and regression testing process (i.e., they are maintained) run against old known crashers and the periodically updated corpora (up to $5,000).

  • The last $5,000 is a bonus that Google may reward at our discretion for projects that the company feels have gone the extra mile or done something really awesome.

Google is doing some outreach to project leaders to encourage participation in the rewards program, but you may also reach out to participate. Meanwhile, leaders of open source projects may want to look into implementing OSS-Fuzz for more hardened security.

Connect with the open source development community at Open Source Summit NA, Sept. 11-14 in Los Angeles. Save $150 on registration through July 30. Linux.com readers save an additional $47 with discount code LINUXRD5. Register now!