Recently, Google decided to unleash its considerable computing power on a different problem: improving the security of open source projects. Google’s OSS-Fuzz project is an effort to find vulnerabilities and other bugs in open source software by applying a huge amount of resources at them in a continuous fuzzing process. Software vendors use fuzzing to throw test inputs at their applications to see how they handle various problems and try to identify security flaws. It can be a time- and resource-intensive process, but it can produce important results.
But for developers who are working on open source projects, it can be difficult to find the time and correct tools to fuzz their applications. The OSS-Fuzz project allows developers to submit their software to Google and have the company do the task for them, using a variety of fuzzers and sanitizers to find bugs. Google has been running the project for almost six months now and the results have been pretty impressive. OSS-Fuzz has found more than 1,000 bugs in the 47 open source projects it has tested, and more than a quarter of those are security vulnerabilities.
The project is an interesting one for a lot of reasons, but most notably the fact that it is designed to help the web community as a whole and not just one company. Open source software is used across the web in an uncountable number of applications and sites, and vulnerabilities in those apps or libraries can have broad effects on the security of the network as a whole. Finding those flaws before they can wreak havoc across the web is an important contribution to the community and its security.
“OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark. We’ve also had at least one bug collision with another independent security researcher,” Google said in a post on the results of OSS-Fuzz.
“Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, so that the chances of users being affected is reduced.”
Some of those vulnerabilities probably would have been discovered through other methods or by other researchers, but many likely would have remained hidden without Google’s help. There aren’t many organizations that possess the kind of computing power that Google has, and the ones that do typically are busy applying it to other problems. Like weather forecasting. Or global surveillance. So to see Google providing resources and support to dozens of open source projects is a nice indication that the cooperative nature of the web still lives on in some corners.
The company is also going to start providing rewards for some projects that are integrated into OSS-Fuzz. Projects that have large user bases and/or are part of the web’s critical infrastructure can get a $1,000 reward once they’re integrated into the OSS-Fuzz system, and can get as much as $20,000 more for various milestones along the way. That’s a significant amount of money, especially for projects that may not have much in the way of permanent outside funding.
Google’s influence is felt across the web in many ways, and the company deserves credit for using its power and resources to help improve security for all.