Google Unveils OSS-Fuzz to test Open Source Software Security

Google announced OSS-Fuzz a new, automated tool for spotting security holes in common open source components.
Google announced OSS-Fuzz a new, automated tool for spotting security holes in common open source components.

In-brief: Google’s security team on Thursday announced the release of a new tool, OSS-Fuzz that it says will improve the security of the Internet by providing realtime, automated secruity testing of common open source components.

Google’s security team on Thursday announced the release of a new tool, OSS-Fuzz that it says will improve the security of the Internet by providing realtime, automated secruity testing of common open source components.

In a blog post on December 1, engineers from Google’s Dynamic Tools, Chrome Security team and research group said the new product’s purpose is to make common software infrastructure more secure and stable. It will marry modern input testing (or “fuzzing”) with Google’s global platform, offering what Google describes as “scalable distributed execution.” Open source projects who adopt OSS-Fuzz can have new code submissions scanned in near-real time, allowing them to spot and fix new vulnerabilities.

OSS-Fuzz combines a number of existing fuzzing engines such as libFuzzer) with various error detection tools (“sanitizers”) like AddressSanitizer). The tool runs off a “massive distributed execution environment” powered by ClusterFuzz, Chrome’s fuzzing infrastructure.

[Read more Security Ledger coverage of open source software security here.]

Google said it has already hit pay dirt with OSS-Fuzz, which spotted a newly created heap buffer overflow in code added to the FreeType library, a common, open source component that is used to display text in more than a billion devices. “Werner Lemberg, one of the FreeType developers, was an early adopter of OSS-Fuzz. Recently the FreeType fuzzer found a new heap buffer overflow only a few hours after the source change,” Google reported. The tool notified the maintainer who immediately fixed the bug. OSS-Fuzz then confirmed the fix.

 

The security of common open source components has been shown to be a major risk in recent years. Notably: the Heartbleed vulnerability in OpenSSL was widespread and was used in a number of high-profile attacks on vulnerable, Internet connected systems.

Studies suggest that the use of open source software exploded in recent years, but that the security of that software is often an issue.

Data from the firm Sonatype showed that open source software use doubled between 2014 and 2015. That company received 31 billion download requests from its Central Repository during 2015, up from over 17 billion such requests in 2014.  The average enterprise downloaded 229,000 open source components during the same period. However, software quality continues to be an issue, with a survey of 25,000 applications revealing that close to 7% percent of components in use had a known security defect that could lead to successful attacks, Sonatype warned.

Google’s efforts are part of its work with the Core Infrastructure Initiative, a collaborative effort funded by large technology firms to audit critical open source infrastructure.

Read more on the Google blog: Google Online Security Blog: Announcing OSS-Fuzz: Continuous Fuzzing for Open Source Software

One Comment

  1. Seucirties are more and more important in our daily life, I think that we need to protect our life by using some useful applock. http://bit.ly/blogleo3