Over 16,000 bugs later, Google’s fuzz tester is now open source
It’s always a cause for celebration when another project becomes open source. Google recently open sourced their fuzz testing tool Clusterfuzz. Clusterfuzz has helped find over 16,000 bugs in Chrome. Assure quality control and add Clusterfuzz to your next software development.
Here comes another tool open sourced by Google! This time, security and testing take the center stage. ClusterFuzz helps find bugs in your software so you can exterminate them with its scalable fuzzing infrastructure. Open sourced on February 7, 2019, this service focuses on stability and security.
ClusterFuzz already has some impressive numbers to brag about. So far, it found over 16,000 bugs in Chrome, as well as over 11,000 bugs in open source projects integrated with OSS-Fuzz. If you use Chrome as your browser of choice, then you owe some of your experience to ClusterFuzz. Now you too can harness that power for good and keep your own projects secure and bug-free.
As always, it is a great plus to all developers when a useful tool gets open sourced. Contributing to open source is becoming the new normal, with even large organizations getting on board. Hopefully FOSS will continue to grow and help break down silos.
Benefits of fuzzing
SEE ALSO: The future of open source and DevOps
ClusterFuzz uses fuzz testing to find those impressive amounts of bugs. Fuzz testing is an automated software technique for finding programming errors, some of which can negatively impact security. Memory corruption bugs in particular are no match for fuzzing.
Fuzzing is mostly used for finding bugs in unsafe languages such as C and C++. ClusterFuzz is language agnostic, however it is most recommended for C/C++.
Of course, fuzzing also helps developers save time by automating some of testing. Software testing continues towards more and more automation, which is a blessing for developers under a time crunch (and let’s be real, what developer out there has too much time?).
Most of ClusterFuzz is written in Python (according to GitHub, a majority of 83.8%).
According to Google, ClusterFuzz works fast and is “often able to detect bugs hours after they are introduced and verify the fix within a day”. It is simple to integrate, so try adding it to your next software development process and see if it streamlines anything.
- Highly scalable. Google’s internal instance runs on over 25,000 machines.
- Accurate deduplication of crashes.
- Fully automatic bug filing and closing for issue trackers (Monorail only for now).
- Testcase minimization.
- Regression finding through bisection.
- Statistics for analyzing fuzzer performance, and crash rates.
- Easy to use web interface for management and viewing crashes. (Access restricted to project developers that Google auto CCs on new bug reports.)
- Coverage reports for checking all parts of your source code
- Support for coverage guided fuzzing (e.g. libFuzzer and AFL) and blackbox fuzzing
Local development is currently only supported on Linux and macOS. You will also need the Google Cloud SDK (for production setup), Python 2.7.0+, and Go.
Struggling with understanding any of the terms used? The glossary will help shed some light on what phrases such as “corpus pruning” and “fuzz target” mean. Now, get back to your software testing.
Explore ClusterFuzz on GitHub and start squashing bugs.