Google revealed today that OSS-Fuzz, the company’s automated fuzzing service/bot, has identified and reported over 9,000 vulnerabilities in widely used open source projects in the past two years.
OSS-Fuzz was launched in December 2016 and is an automated tool developed by Google that can find vulnerabilities in applications via a technique called fuzzing.
A fuzzer (fuzzing tool) and the technique of fuzzing works by feeding a software application with large quantities of random data and analyzing its output for abnormalities and crashes –which, in turn, give developers a hint about the presence of possible bugs in the app’s code.
Fuzzing has been around for decades, but fuzzers have only become widely adopted in recent years, and Google has been one of the main companies pushing both coders and security researchers towards such utilities and techniques.
OSS-Fuzz was released as an open source tool that anyone could download from GitHub and use against their own code, but also as a cloud-based service made available for a select number of open source projects that Google either used internally, or it deemed critical to the software ecosystem as a whole (there were 47 in May 2017).
The OSS-Fuzz “service” would identify bugs in participating projects, Google security engineers would review the found vulnerabilities, and then submit bug reports based on the findings.
Further, Google also integrated the OSS-Fuzz cloud-based service with its “bug patching” rewards program, meaning that Google would also pay open source projects rewards for bugs identified and reported by its engineers via the OSS-Fuzz platform.
Participating open source projects were eligible for receiving between $500 and $20,000 for every patched bug, but they also got bonuses for modifying their code to integrate with OSS-Fuzz at a deeper level.
In a blog post today, Google gave a status update on the OSS-Fuzz project. First and foremost, the OSS-Fuzz cloud-based service has received several updates and is now more automated than before, relying less and less on human reviewers.
“Until recently, [issues found by OSS-Fuzz] were manually reported to various public bug trackers by our security team and then monitored until they were resolved,” said Google. “While this reporting process had some success, it was overly complex. Now, by unifying and automating our fuzzing tools, we have been able to consolidate our processes into a single workflow, based on OSS-Fuzz.”
But while OSS-Fuzz can now identify and report bugs faster, the project still needs to grow and reach new projects, an issue that Google plans to address in the coming weeks.
“Our goal is to admit as many [open source software] projects as possible and ensure that they are continuously fuzzed,” Google said. “In the coming weeks, we will reach out via email to critical projects that we believe would be a good fit and support the community at large.”
The new projects admitted into the OSS-Fuzz cloud service will also be eligible for Google’s Patch Reward Program, meaning that some project maintainers may actually be extremely happy to receive Google’s OSS-Fuzz invitation email, as it could provide them with an additional revenue stream.
In late August, Google also open-sourced another internal fuzzing tool named BrokenType, which one of its engineers had used to identify tens of vulnerabilities in font display (rasterization) components.