News, news analysis, and commentary on the latest trends in cybersecurity technology.
Google Open Sources ClusterFuzzLite
ClusterFuzzLite is a stripped-down version of continuous fuzzing tool ClusterFuzz that integrates CI tools.
Google has released ClusterFuzzLite, an open source fuzzing project that is a lightweight version of the company’s ClusterFuzz tool.
Fuzzing is a technique where the tester throws a lot of data (“fuzz”), including random or invalid inputs, against an application to see how the application reacts. If the application crashes, the tester can look for memory leaks and security flaws. Continuous fuzzing has become a critical part of software development – even the latest guidelines for software verification from the National Institute of Standards and Technology specifies fuzzing among the minimum standard requirements.
Google released OSS-Fuzz, which combined various fuzzing engines to provide continuous fuzzing capabilities back in 2016, and then released one of the services, ClusterFuzz, as open source in 2019. ClusterFuzz was famously used to run 50 million test cases per day against various Chrome builds and helped find more than 16,000 bugs in Chrome, Google said at the time. Since its inception, OSS-Fuzz has been used to fix 6,500 vulnerabilities and 21,000 functional bugs, Google said.
ClusterFuzzLite offers many of the same features as ClusterFuzz, such as continuous fuzzing, sanitizer support, corpus management, and coverage report generation. ClusterFuzzLite runs as part of continuous integration/continuous delivery (CI/CD) workflows, so it can fuzz GitHub pull requests to catch bugs before they are committed.
As of launch, ClusterFuzzLite officially supports GitHubActions and Google Cloud Build. It also supports Prow as part of an early-stage beta. Support for other CI systems are expected at a later time.
Any project – even closed source projects – can be set up to use ClusterFuzzLite, moving continuous fuzzing from a “nice-to-have” to a critical must-have aspect of secure software development. Google says ClusterFuzzLite is already being used by large projects, including systemd and curl for code review.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024