Skip to main content

Google Announces 'Fuzz Testing' Project For Open Source Software

Google announced "OSS-Fuzz," a beta project that open source software projects can join to do "fuzz testing." Fuzz testing, or "fuzzing," is an automated testing technique that can uncover memory corruption bugs in software by generating random inputs to a given program.

The program, developed in conjunction with the "Core Infrastructure Initiative" community over the past few years, specifically targets open source projects that have a "large user base" and/or are "critical to Global IT infrastructure."

The Core Infrastructure Initiative was formed by multiple large technology companies, including Google, after the discovery of the Heartbleed bug. The goal of the project is to fund open source software that represents an important part of the web infrastructure. That includes software such as OpenSSL, OpenSSH, GnuPG, the Linux Kernel Self-Protection project, and others.

The OSS-Fuzz project could find the type of security vulnerabilities that tend to be quite common in software written in programming languages such as C and C++, which aren’t memory-safe.

It could identify bugs like the one that was recently discovered in Firefox and the Tor browser, or bugs like Stagefright that affected virtually all Android users. These types of memory corruption bugs are often difficult to find even in security audits, which is why the importance of the OSS-Fuzz project can’t be understated.

The OSS-Fuzz project has already been used to uncover hundreds of security and stability bugs in Chrome, and Google said it’s now willing to share the service with the open source community. Considering that the project has already been used to test the Chrome browser for vulnerabilities, it may be possible to use it for Firefox as well (a browser that, lately, seems like it would need it).

Google hopes to make fuzzing a "standard part of the open source development process' because it believes this sort of testing can lead to significant security improvements in critical software.