Security Blog
The latest news and insights from Google on security and safety on the Internet
Open sourcing ClusterFuzz
7 de febrero de 2019
Posted by Abhishek Arya, Oliver Chang, Max Moroz, Martin Barbella and Jonathan Metzman (ClusterFuzz team)
[Cross-posted from the
Google Open-Source Blog
]
Fuzzing
is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding
memory corruption bugs
, which often have
serious
security
implications
. Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an
unsafe
language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.
In order for fuzzing to be truly effective, it must be continuous, done at scale, and integrated into the development process of a software project. To
provide these features
for Chrome, we wrote ClusterFuzz, a fuzzing infrastructure running on over 25,000 cores. Two years ago, we began offering ClusterFuzz as a free service to open source projects through
OSS-Fuzz
.
Today, we’re announcing that
ClusterFuzz
is now open source and available for anyone to use.
We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed. ClusterFuzz provides end-to-end automation, from bug detection, to triage (accurate deduplication,
bisection
), to bug reporting, and finally to automatic closure of bug reports.
ClusterFuzz has found more than
16,000
bugs in Chrome and more than
11,000
bugs in over
160
open source projects integrated with OSS-Fuzz. It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect
bugs
hours after they are introduced and verify the fix within a day.
Check out our
GitHub repository
. You can try ClusterFuzz locally by following these
instructions
. In
production
, ClusterFuzz depends on some key
Google Cloud Platform
services, but you can use your own compute cluster. We welcome your contributions and look forward to any suggestions to help improve and extend this infrastructure. Through open sourcing ClusterFuzz, we hope to encourage all software developers to integrate fuzzing into their workflows.
No hay comentarios :
Publicar un comentario
Etiquetas
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2023
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2022
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2021
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2020
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2019
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2018
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2017
dic
nov
oct
sept
jul
jun
may
abr
mar
feb
ene
2016
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2015
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2014
dic
nov
oct
sept
ago
jul
jun
abr
mar
feb
ene
2013
dic
nov
oct
ago
jun
may
abr
mar
feb
ene
2012
dic
sept
ago
jun
may
abr
mar
feb
ene
2011
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
2010
nov
oct
sept
ago
jul
may
abr
mar
2009
nov
oct
ago
jul
jun
mar
2008
dic
nov
oct
ago
jul
may
feb
2007
nov
oct
sept
jul
jun
may
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Follow
No hay comentarios :
Publicar un comentario