News, news analysis, and commentary on the latest trends in cybersecurity technology.
Google Open Sources ClusterFuzzLiteGoogle Open Sources ClusterFuzzLite
ClusterFuzzLite is a stripped-down version of continuous fuzzing tool ClusterFuzz that integrates CI tools.
November 11, 2021
Fuzzing is a technique where the tester throws a lot of data (“fuzz”), including random or invalid inputs, against an application to see how the application reacts. If the application crashes, the tester can look for memory leaks and security flaws. Continuous fuzzing has become a critical part of software development – even the latest guidelines for software verification from the National Institute of Standards and Technology specifies fuzzing among the minimum standard requirements.
Google released OSS-Fuzz, which combined various fuzzing engines to provide continuous fuzzing capabilities back in 2016, and then released one of the services, ClusterFuzz, as open source in 2019. ClusterFuzz was famously used to run 50 million test cases per day against various Chrome builds and helped find more than 16,000 bugs in Chrome, Google said at the time. Since its inception, OSS-Fuzz has been used to fix 6,500 vulnerabilities and 21,000 functional bugs, Google said.
ClusterFuzzLite offers many of the same features as ClusterFuzz, such as continuous fuzzing, sanitizer support, corpus management, and coverage report generation. ClusterFuzzLite runs as part of continuous integration/continuous delivery (CI/CD) workflows, so it can fuzz GitHub pull requests to catch bugs before they are committed.
As of launch, ClusterFuzzLite officially supports GitHubActions and Google Cloud Build. It also supports Prow as part of an early-stage beta. Support for other CI systems are expected at a later time.
Any project – even closed source projects – can be set up to use ClusterFuzzLite, moving continuous fuzzing from a “nice-to-have” to a critical must-have aspect of secure software development. Google says ClusterFuzzLite is already being used by large projects, including systemd and curl for code review.
About the Author(s)
You May Also Like
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023