Security Blog
The latest news and insights from Google on security and safety on the Internet
OSS-Fuzz: Five months later, and rewarding projects
8 май 2017 г.
Posted by Oliver Chang, Abhishek Arya (Security Engineers, Chrome Security), Kostya Serebryany (Software Engineer, Dynamic Tools), and Josh Armour (Security Program Manager)
Five months ago, we
announced
OSS-Fuzz
, Google’s effort to help make open source software more secure and stable. Since then, our robot army has been working hard at
fuzzing
, processing 10 trillion test inputs a day. Thanks to the efforts of the open source community who have integrated a total of
47
projects, we’ve found over
1,000
bugs (
264
of which are potential security vulnerabilities).
Breakdown of the types of bugs we’re finding
Notable results
OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects:
10
in FreeType2,
17
in FFmpeg,
33
in LibreOffice,
8
in SQLite 3,
10
in GnuTLS,
25
in PCRE2,
9
in gRPC, and
7
in Wireshark. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801). (Some of the bugs are still view-restricted so links may show smaller numbers.)
Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, so that the chances of users being affected is reduced.
Fuzzing not only finds memory safety related bugs, it can also find correctness or logic bugs. One example is a carry propagating bug in OpenSSL (
CVE-2017-3732
).
Finally, OSS-Fuzz has reported over 300
timeout and out-of-memory failures
(~75% of which got fixed). Not every project treats these as bugs, but fixing them enables OSS-Fuzz to find more interesting bugs.
Announcing rewards for open source projects
We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process. To this end, we’d like to encourage more projects to participate and adopt the
ideal integration
guidelines that we’ve established.
Combined with fixing all the issues that are found, this is often a significant amount of work for developers who may be working on an open source project in their spare time. To support these projects, we are expanding our existing
Patch Rewards
program to include rewards for the integration of
fuzz targets
into OSS-Fuzz.
To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure. Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration (the final amount is at our discretion). You have the option of donating these rewards to charity instead, and Google will double the amount.
To qualify for the ideal integration reward, projects must show that:
Fuzz targets are checked into their upstream repository and integrated in the build system with
sanitizer
support (up to $5,000).
Fuzz targets are
efficient
and provide good code coverage (>80%) (up to $5,000).
Fuzz targets are part of the official upstream development and regression testing process, i.e. they are maintained, run against old known crashers and the periodically updated
corpora
(up to $5,000).
The last $5,000 is a “
l33t
” bonus that we may reward at our discretion for projects that we feel have gone the extra mile or done something really awesome.
We’ve already started to contact the first round of projects that are eligible for the initial reward. If you are the maintainer or point of contact for one of these projects, you may also
reach out
to us in order to apply for our ideal integration rewards.
The future
We’d like to thank the existing contributors who integrated their projects and fixed countless bugs. We hope to see more projects integrated into OSS-Fuzz, and greater adoption of fuzzing as standard practice when developing software.
Няма коментари :
Публикуване на коментар
Етикети
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2023
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2022
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2021
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2020
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2019
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2018
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2017
дек
ное
окт
сеп
юли
юни
май
апр
март
фев
яну
2016
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2015
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
яну
2014
дек
ное
окт
сеп
авг
юли
юни
апр
март
фев
яну
2013
дек
ное
окт
авг
юни
май
апр
март
фев
яну
2012
дек
сеп
авг
юни
май
апр
март
фев
яну
2011
дек
ное
окт
сеп
авг
юли
юни
май
апр
март
фев
2010
ное
окт
сеп
авг
юли
май
апр
март
2009
ное
окт
авг
юли
юни
март
2008
дек
ное
окт
авг
юли
май
фев
2007
ное
окт
сеп
юли
юни
май
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Няма коментари :
Публикуване на коментар