Google urges open source community to fuzz test code • The Register

Google’s open source security team says OSS-Fuzz, its community fuzzing service, has helped fix more than 8,000 security vulnerabilities and 26,000 other bugs in open source projects since its debut in 2016.

And the group would like to see open source developers do more fuzzing to make the world a better place, or at least make software a little safer. It is therefore a question of offering concrete incentives rather than points of exposure.

Fuzzing, or fuzz testing, is a software testing technique that attempts to find bugs by injecting random or semi-random data into software. It was developed by computer science professor UW-Madison Barton Miller in 1989 [PDF]. Miller wanted to understand how the noise created by a rainstorm was interfering with his dial-up modem connection to a Unix system, and this opened up new areas of code analysis research.

Google launched OSS-Fuzz in 2016 in response to the Heartbleed vulnerability, a buffer overflow flaw that could have been detected by fuzz testing.

“At the time, however, fuzzing was not widely used and was cumbersome for developers, requiring considerable manual effort,” explain Jonathan Metzman and Dongge Liu of Google’s open source security team in a blog post.

OSS-Fuzz is currently checking some 700 critical open source projects for bugs and spotted in July a serious defect in the TinyGLTF project, a library that relies on the C library function wordexp() for file path expansion to untrusted paths from an input file.

“This vulnerability shows that it was possible to inject backticks into the glTF input file format and allow commands to be executed during analysis,” explained Metzman and Liu.

Any project incorporating TinyGLTF as a dependency was potentially vulnerable, so this was a significant win for fuzzing.

Metzman and Liu credit the discovery to work their security team undertook last December in response to the Log4Shell vulnerability. This effort has led to the development of new sanitizers capable of identifying bugs that can be exploited to execute arbitrary commands in any programming language. One of these disinfectants, SystemSanis credited with spotting the TinyGLTF bug.

The work led to proof-of-concept code to spot issues in JavaScript and Python programs and, with the help of security firm Code Intelligence, the creation of disinfectants for various Java-specific issues. According to Metzman and Liu, several deserialization and LDAP injection vulnerabilities have already been discovered using these tools and await coordinated disclosure.

Metzman and Liu encouraged those involved in the open source community to embrace fuzzing and held out the prospect of rewards. Those who integrate a new sanitizer into OSS-Fuzz, or a fuzzing engine like Jazzer, that finds at least two previously unidentified vulnerabilities in OSS-Fuzz projects will receive a prize of $11,337.

Alternatively, those who incorporate a new project of sufficient importance into OSS-Fuzz – a large user base and/or be critical to the global IT infrastructure – are eligible for rewards ranging from $1,000 to $20,000.

“Fuzzing still has a lot of unexplored potential to uncover more classes of vulnerabilities,” conclude Metzman and Liu. ®

Sam D. Gomez