Open source software is the foundation of many modern software products. Over the years, developers increasingly have
relied on reusable open source components for their applications. It is paramount that these open source components are secure and reliable, as weaknesses impact those that build upon it.
Google cares deeply about the security of the open source ecosystem and recently launched the
Open Source Security Foundation with other industry partners.
Fuzzing is an automated testing technique to find bugs by feeding unexpected inputs to a target program. At Google, we leverage fuzzing at scale to find tens of thousands of security vulnerabilities and stability bugs. This summer, as part of
Google’s OSS internship initiative, we hosted 50 interns to improve the state of fuzz testing in the open source ecosystem.
The fuzzing interns worked towards integrating new projects and improving existing ones in
OSS-Fuzz, our continuous fuzzing service for the open source community (which has
350+ projects,
22,700 bugs, 89% fixed). Several widely used open source libraries including but not limited to
nginx,
postgresql,
usrsctp, and
openexr, now have continuous fuzzing coverage as a result of these efforts.
Another group of interns focused on improving the security of the
Linux kernel.
syzkaller, a kernel fuzzing tool from Google, has been instrumental in
finding kernel vulnerabilities in various operating systems. The interns were tasked with improving the fuzzing coverage by adding new descriptions to syzkaller like
ip tunnels,
io_uring, and
bpf_lsm for example, refining the
interface description language, and advancing kernel
fault injection capabilities.
Some interns chose to write fuzzers for Android and Chrome, which are open source projects that billions of internet users rely on. For Android, the interns contributed several new fuzzers for uncovered areas - network protocols such as
pppd and
dns, audio codecs like
monoblend,
g722, and
android framework. On the Chrome side, interns improved existing blackbox fuzzers, particularly in the areas: DOM, IPC, media, extensions, and added new
libprotobuf-based fuzzers for Mojo.
Our last set of interns researched quite a few under-explored areas of fuzzing, some of which were
fuzzer benchmarking,
ML based fuzzing,
differential fuzzing,
bazel rules for build simplification and made useful contributions.
Over the course of the internship, our interns have reported over 150 security vulnerabilities and 750 functional bugs. Given the overall success of these efforts, we plan to continue hosting fuzzing internships every year to help secure the open source ecosystem and teach incoming open source contributors about the importance of fuzzing. For more information on the Google internship program and other student opportunities, check out
careers.google.com/students. We encourage you to apply.
By: Abhishek Arya, Google Chrome Security
