Google Open Sourced the ClusterFuzz Fuzzing Platform
February 11, 2019
Mo Moin (580 articles)
Share

Google Open Sourced the ClusterFuzz Fuzzing Platform

Google has open sourced ClusterFuzz, its fuzzing infrastructure it has developed to find memory corruption vulnerabilities in Chrome.

Google has open sourced its fuzzing infrastructure ClusterFuzz that the tech giant developed to find memory corruption bugs in the Chrome browser.

ClusterFuzz is a scalable fuzzing tool that can run on clusters with more than 25,000 cores.

The platform has been available as a free service to open source projects through the OSS-Fuzz service.

Fuzzing is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding memory corruption bugs, which often have serious security implications.” reads a blog post published by Google.

“Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an unsafe language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.”

The fuzzing test methodology is effective in detecting bugs in software on a large scale, especially when it is directly integrated with the development process.

ClusterFuzz was created more than 8 years ago to provide end-to-end automation, from bug detection, to triage (accurate deduplication, bisection), to bug reporting, and finally to automatic closure of bug reports.

Google confirmed that to date, ClusterFuzz discovered over 16,000 vulnerabilities in Chrome and more than 11,000 vulnerabilities across more than 160 open source projects integrated with OSS-Fuzz.

“It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day.” continues the blog post.

“Check out our GitHub repository. You can try ClusterFuzz locally by following these instructions.”

ClusterFuzz

ClusterFuzz can be also installed locally on a computer cluster.

This post Google Open Sourced the ClusterFuzz Fuzzing Platform originally appeared on Security Affairs.

Read More