The Complete Magazine on Open Source

Google’s OSS-Fuzz bot exposes over 1,000 bugs in open source projects

2.49K 0

open source bugs

OSS-Fuzz bug hunting bot by Google has exposed more than 1,000 bugs since its launch in December 2016. Of the total bugs, 264 are touted to be potential security vulnerabilities.

Announcing the latest achievement, Google’s open source team has revealed in a blog post that OSS-Fuzz has identified a number of critical security threats in high-profile projects. The robot reported 33 bugs in LibreOffice, 10 in FreeType2, 8 in SQLite, 17 in FFmpeg, 10 in GnuTLS, 9 in gRPC, 25 in PCRE2, and 7 in Wireshark.

“Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, before any users are affected,” Google’s team, comprises Chrome Security Engineers Oliver Chang and Abhiskhek Arya, Dynamic Tools Engineer Kostya Serebryany and Security Program Manager Josh Armour, writes in a blog post.

The OSS-Fuzz bot uses fuzzing technique to identify bugs. It compares a vast amount of random data against a system to make crash. Notably, fuzzing through the bug has been proven to be a much effective and time-saving process.

High-profile vulnerabilities surface

The vulnerabilities spotted by the bot include heap buffer overflow problems, stack overflows, use-after-free vulnerabilities and data leaks. Also, it reported 33 bugs in LibreOffice, 10 in FreeType2, 8 in SQLite, 17 in FFmpeg, 10 in GnuTLS, 9 in gRPC, 25 in PCRE2 and 7 in Wireshark.

Going forward, Google is aiming to integrate more projects into OSS-Fuzz. The company also looks forward to a greater adoption of fuzzing and standard practice when developing software.