Fuzzing internships for open source software

Open source software is the foundation of many modern software products. Over the years, developers increasingly have relied on reusable open source components for their applications. It is paramount that these open source components are secure and reliable, as weaknesses impact those that build upon it.

Google cares deeply about the security of the open source ecosystem and recently launched the Open Source Security Foundation with other industry partners. Fuzzing is an automated testing technique to find bugs by feeding unexpected inputs to a target program. At Google, we leverage fuzzing at scale to find tens of thousands of security vulnerabilities and stability bugs. This summer, as part of Google’s OSS internship initiative, we hosted 50 interns to improve the state of fuzz testing in the open source ecosystem.

The fuzzing interns worked towards integrating new projects and improving existing ones in OSS-Fuzz, our continuous fuzzing service for the open source community (which has 350+ projects, 22,700 bugs, 89% fixed). Several widely used open source libraries including but not limited to nginx, postgresql, usrsctp, and openexr, now have continuous fuzzing coverage as a result of these efforts.

Another group of interns focused on improving the security of the Linux kernel. syzkaller, a kernel fuzzing tool from Google, has been instrumental in finding kernel vulnerabilities in various operating systems. The interns were tasked with improving the fuzzing coverage by adding new descriptions to syzkaller like ip tunnels, io_uring, and bpf_lsm for example, refining the interface description language, and advancing kernel fault injection capabilities.

Some interns chose to write fuzzers for Android and Chrome, which are open source projects that billions of internet users rely on. For Android, the interns contributed several new fuzzers for uncovered areas - network protocols such as pppd and dns, audio codecs like monoblend, g722, and android framework. On the Chrome side, interns improved existing blackbox fuzzers, particularly in the areas: DOM, IPC, media, extensions, and added new libprotobuf-based fuzzers for Mojo.

Our last set of interns researched quite a few under-explored areas of fuzzing, some of which were fuzzer benchmarking, ML based fuzzing, differential fuzzing, bazel rules for build simplification and made useful contributions.

Over the course of the internship, our interns have reported over 150 security vulnerabilities and 750 functional bugs. Given the overall success of these efforts, we plan to continue hosting fuzzing internships every year to help secure the open source ecosystem and teach incoming open source contributors about the importance of fuzzing. For more information on the Google internship program and other student opportunities, check out careers.google.com/students. We encourage you to apply.

By: Abhishek Arya, Google Chrome Security

Announcing the latest Google Open Source Peer Bonus winners!

We are very pleased to announce the latest Google Open Source Peer Bonus winners!

The Google Open Source Peer Bonus program rewards external open source contributors nominated by Googlers for their exceptional contributions to open source. Historically, the program was primarily focused on rewarding developers. Over the years the program has evolved—rewarding not just software engineers contributors from every part of open source—including technical writers, user experience and graphic designers, community managers and marketers, mentors and educators, ops and security experts. 

This time around we have 90 winners from an impressive number of countries—24—spread across five continents: Australia, Austria, Canada, China, Costa Rica, Finland, France, Germany, Ghana, India, Italy, Japan, Mozambique, New Zealand, Nigeria, Poland, Portugal, Singapore, Spain, Sweden, Switzerland, Uganda, United Kingdom, and the United States.

Although the majority of recipients in this round were recognized for their code contributions, more than 40% of the successful nominations included tooling work, community work, and documentation. (Some contributors were recognized for their work in more than one area.)

Below is the list of current winners who gave us permission to thank them publicly:

Winner	Project
Xihan Li	A Concise Handbook of TensorFlow 2
Alain Schlesser	AMP Plugin for WordPress
Pierre Gordon	AMP Plugin for WordPress
Catherine Houle	AMP Project
Quyen Le Hoang	ANGLE
Kamil Bregula	Apache Airflow
László Kiss Kollár	auditwheel/manylinux
Jack Neus	Chrome OS Release Branching tool
Fabian Henneke	chromium
Matt Godbolt	Compiler Explorer
Sumeet Pawnikar	coreboot
Hal Seki	covid19
Derek Parker	Delve
Alessandro Arzilli	Delve
Matthias Sohn	Eclipse Foundation
Luca Milanesio	Eclipse Foundation
João Távora	eglot
Brad Cowie	faucetsdn
Harri Hohteri	Firebase
Rosário Pereira Fernandes	Firebase
Peter Steinberger	Firebase iOS, CocoaPods
Eduardo Silva	Fluent Bit
Matthias Sohn	Gerrit Code Review
Marco Miller	Gerrit Code Review
Akim Demaille	GNU Bison
Alex Brainman	Go
Richard Musiol	Go
Roger Peppe	Go, CUE, gohack
Daniel Martí	Go, CUE, many individual repo.
Juan Linietsky	Godot Engine
Maddy Myers	Google Research Open-COVID-19-Data
Pontus Leitzler	govim, gopls
Paul Jolly	govim, gopls
Parul Raheja	Ground
Pau Freixes	gRPC
Marius Brehler	IREE
George Nachman	iterm2
Kenji Urushima	jsrsasign
Jacques Chester	KNative
Markus Thömmes	Knative Serving
Savitha Raghunathan	Kubernetes
David Anderson	libdwarf
Florian Westphal	Linux kernel
Hugo van Kemenade	Many open-source Python projects
Jeff Lockhart	Maps SDK for Android Utility Library
Claude Vervoort	Moodle
Jared McNeill	NetBSD
Nao Yonashiro	nginx-sxg-module
Geoffrey Booth	Node.js
Gus Caplan	Node.js
Guy Bedford	Node.js
Samson Goddy	Open Source Community Africa
Daniel Dyla	OpenTelemetry
Leighton Chen	OpenTelemetry
Shivkanya Andhare	OpenTelemetry
Bartlomiej Obecny	OpenTelemetry
Philipp Wagner	OpenTitan, Ibex, CocoTB
Srijan Reddy	Oppia
Bastien Guerry	Org mode
Gary Kramlich	Pidgin Lead Developer
Hassan Kibirige	plotnine
Abigail Dogbe	PyLadies Ghana
David Hewitt	PyO3
Yuji Kanagawa	PyO3
Mannie Young	Python Ghana
Alex Bradbury	RISC-V LLVM, Ibex, OpenTitan
Lukas Taegert-Atkinson	Rollup.js
Sanil Raut	Shaka Packager
Luke Edwards	Svelte and Node Libraries
Zoe Carver	Swift Programming Language
Nick Lockwood	SwiftFormat
Priti Desai	Tekton
Sayak Paul	TensorFlow
Lukas Geiger	TensorFlow
Margaret Maynard-Reid	TensorFlow
Gabriel de Marmiesse	TensorFlow Addons
Jared Morgan	The Good Docs Project
Jo Cook	The Good Docs Project, GeoNetwork, Portable GIS, Various Open Source Geospatial Foundation communities
Ricky Mulyawan Suryadi	Tink JNI Examples
Michael Tüxen	usrsctp
Seth Brenith	V8
Ramya Rao	VS Code Go
Philipp Hancke	WebRTC
Jason Donenfeld	WireGuard

Congratulations to our winners! We look forward to your continued support and contributions to open source!

By Maria Tabak and Erin McKean, Program Managers – Google Open Source Programs Office

Kubernetes Ingress goes GA

The Kubernetes Ingress API, first introduced in late 2015 as an experimental beta feature, has finally graduated as a stable API and is included in the recent 1.19 release of Kubernetes.

The goal of the Ingress API is to provide a simple uniform means of describing the routing of HTTP or HTTPS traffic from outside a cluster to backend services within a cluster; independent of the Ingress Controller being used. An Ingress controller is a 3rd party application, such as Nginx or an external service like the Google Cloud Load Balancer (GCLB), that performs the actual routing of the HTTP(S) traffic. This uniform API, supported by the Ingress Controllers made it easy to create simple HTTP(S) load balancers, however most use-cases required something more complex.

By early 2019, the Ingress API had remained in beta for close to four years. Beta APIs are not intended to be relied upon for business-critical production use, yet many users were using the Ingress API in some level of production capacity. After much discussion, the Kubernetes Networking Special Interest Group (SIG) proposed a path forward to bring the Ingress API to GA primarily by introducing two changes in Kubernetes 1.18. These were: a new field, pathType, to the Ingress API; and a new Ingress resource type, IngressClass. Combined, they provide a means of guaranteeing a base level of compatibility between different path prefix matching implementations, along with opening the door to further extension by the Ingress Controller developers in a uniform and consistent pattern.

What does this mean for you? You can be assured that the path prefixes you use will be evaluated the same way across Ingress Controllers implementations, and the Ingress configuration sprawl across Annotations, ConfigMaps and CustomResourceDefinitions (CRDs) will be consolidated into a single IngressClass resource type.

pathType

The pathType field specifies one of three ways that an Ingress Object’s path should be interpreted:

• ImplementationSpecific: Path prefix matching is delegated to the Ingress Controller (IngressClass).
• Exact: Matches the URL path exactly (case sensitive)
• Prefix: Matches based on a URL path prefix split by /. Matching is case sensitive and done on a path element by element basis.

NOTE: ImplementationSpecific was configured as the default pathType in the 1.18 release. In 1.19 the defaulting behavior was removed and it MUST be specified. Paths that do not include an explicit pathType will fail validation.

Pre Kubernetes 1.18	Kubernetes 1.19+
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata:   name: minimal-ingress   annotations:     kubernetes.io/ingress.class: nginx spec:   rules:   - http:     paths:     - path: /testpath       backend:         serviceName: test         servicePort: 80	apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: minimal-ingress spec:   ingressClassName: external-lb   rules:   - http:       paths:       - path: /testpath         pathType: Prefix         backend:           service:             name: test             port:               number: 80

These changes not only make room for backwards-compatible configurations with the ImplementationSpecific pathType, but also enables more portable workloads between Ingress Controllers with Exact or Prefix pathType.

IngressClass

The new IngressClass resource takes the place of various different Annotations, ConfigMaps, Environment Variables or Command Line Parameters that you would regularly pass to an Ingress Controller directly. Instead, it has a generic parameters field that can be used to reference controller specific configuration.


Example IngressClass Resource

apiVersion: networking.k8s.io/v1 kind: IngressClass metadata:   name: external-lb spec:   controller: example.com/ingress-controller   parameters:     apiGroup: k8s.example.com     kind: IngressParameters     name: external-lb

Source: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class

In this example, the parameters resource would include configuration options implemented by the example.com/ingress-controller ingress controller. These items would not need to be passed as Annotations or a ConfigMap as they would in versions prior to Kubernetes 1.18.

How do you use IngressClass with an Ingress Object? You may have caught it in the earlier example, but the Ingress resource’s spec has been updated to include an ingressClassName field. This field is similar to the previous kubernetes.io/ingress.class annotation but refers to the name of the corresponding IngressClass resource.

Other Changes

Several other small changes went into effect with the graduation of Ingress to GA in 1.19. A few fields have been remapped/renamed and support for resource backends has been added.

Remapped Ingress Fields

• v1beta1: spec.backend -> v1: spec.defaultBackend
• v1beta1: backend.service.name -> v1: backend.service.name
• v1beta1: backend.servicvePort (servicePort is now multiple fields)
• v1: backend.service.port.name
• v1: backend.service.port.number

Resource Backend
A Resource Backend is essentially a pointer or ObjectRef (apiGroup, kind, name) to another resource in the same namespace. Why would you want to do this? Well, it opens the door to all sorts of future possibilities such as routing to static object storage hosted in GCS or S3, or another internal form of storage.

NOTE: Resource Backend and Service Backends are mutually exclusive. Only one field can be specified at a time.

Deprecation Notice

With the graduation of Ingress in the 1.19 release, it officially puts the older iterations of the API (extensions/v1beta1 and networking.k8s.io/v1beta1) on a clock. Following the Kubernetes Deprecation Policy, the older APIs are slated to be removed in Kubernetes 1.22.

Should you migrate right now (September 2020)? Not yet. The majority of Ingress Controllers have not added support for the new GA Ingress API. Ingress-GCE, the Ingress Controller for Google Kubernetes Engine (GKE) should be updated to support the Ingress GA API in Q4 2020. Keep your eyes on the GKE rapid release channel to stay up to date on it, and Kubernetes 1.19’s availability.

What’s Next for Ingress?

The Ingress API has had a rough road getting to GA. It is an essential resource for many, and the changes that have been introduced help manage that complexity while keeping it relatively light-weight. However, even with the added flexibility that has been introduced it doesn’t cover a variety of complex use-cases.

SIG Network has been working on a new API referred to as “Service APIs” that takes into account the lessons learned from the previous efforts of working on Ingress. These Service APIs are not intended to replace Ingress, but instead compliment it by providing several new resources that could enable more complex workflows.


By Bob Killen, Program Manager, Google Open Source Programs Office