Google has announced a new open source fuzzing project called ClusterFuzzLite, serving as a light weight version of the existing ClusterFuzz tool, which it open sourced nearly three years ago.
Fuzz testing, is an automated software testing technique that involves throwing invalid or random data at a computer program before its deployed to see how it reacts. This can help developers find bugs and flaws that could otherwise be exploited by bad actors.
With software supply chain attacks on the increase, this has shone a light on the role that open source software plays in business critical applications and the inherent vulnerabilities such software contains. Countless organizations, from government agencies to hospitals and corporations, have been hit by targeted software supply chain attacks. In response, NIST issued guidelines for software verification, with fuzzing included as part of its recommended “minimum standards” for software testing.
In 2016, Google launched OSS-Fuzz, which combines various fuzzing engines to serve popular open source software projects with continuous fuzzing as part of their quality assurance processes. Shortly after, Google started offering OSS-Fuzz’s ClusterFuzz backend as a free service, and then went on to open-source ClusterFuzz itself in 2019.
Google said that more than 500 “critical” open source projects have integrated with the OSS Fuzz program, which in turn has identified some 6,500 vulnerabilities and fixed 21,000 functional bugs.
ClusterFuzzLite offers many of the same features as ClusterFuzz such as continuous fuzzing, esentially a stripped-down alternative that’s easier to set up as part of developers’ continuous integration workflows, requiring just a few lines of code. Specifically, ClusterFuzzLite can be used to fuzz pull requests on GitHub, something that ClusterFuzz can’t be used for, helping to catch bugs before they are committed to the main codebase.
For now,ClusterFuzzLite officially supports a handful of CI systems including GitHub Actions and Google Cloud Build, though it also supports Prow as part of an early stage beta. Google said that given ClusterFuzzLite was built with extensibility in mind, it’s easy to add support for other CI systems further down the line.