Fuzzing is a technique where the tester throws a lot of data (“fuzz”), including random or invalid inputs, against an application to see how the application reacts. If the application crashes, the tester can look for memory leaks and security flaws. Continuous fuzzing has become a critical part of software development – even the latest guidelines for software verification from the National Institute of Standards and Technology specifies fuzzing among the minimum standard requirements.
Google released OSS-Fuzz, which combined various fuzzing engines to provide continuous fuzzing capabilities back in 2016, and then released one of the services, ClusterFuzz, as open source in 2019. ClusterFuzz was famously used to run 50 million test cases per day against various Chrome builds and helped find more than 16,000 bugs in Chrome, Google said at the time. Since its inception, OSS-Fuzz has been used to fix 6,500 vulnerabilities and 21,000 functional bugs, Google said.
ClusterFuzzLite offers many of the same features as ClusterFuzz, such as continuous fuzzing, sanitizer support, corpus management, and coverage report generation. ClusterFuzzLite runs as part of continuous integration/continuous delivery (CI/CD) workflows, so it can fuzz GitHub pull requests to catch bugs before they are committed.
As of launch, ClusterFuzzLite officially supports GitHubActions and Google Cloud Build. It also supports Prow as part of an early-stage beta. Support for other CI systems are expected at a later time.
Any project – even closed source projects – can be set up to use ClusterFuzzLite, moving continuous fuzzing from a “nice-to-have” to a critical must-have aspect of secure software development. Google says ClusterFuzzLite is already being used by large projects, including systemd and curl for code review.