Google introduced the ClusterFuzzLite project, which allows organizing code fuzzing testing for early detection of potential vulnerabilities at the stage of continuous integration systems operation. Currently, ClusterFuzz can be used to automate pull request fuzzing in GitHub Actions, Google Cloud Build, and Prow, but support for other CI systems is expected in the future. The project is based on the ClusterFuzz platform, created to coordinate the work of fuzzing testing clusters, and distributed under the Apache 2.0 license.
It is noted that since the introduction of the OSS-Fuzz service by Google in 2016, more than 500 important open source projects have been accepted into the continuous fuzzing testing program. Based on the checks carried out, more than 6500 confirmed vulnerabilities were eliminated and more than 21 thousand errors were fixed. ClusterFuzzLite continues to develop fuzzing testing mechanisms with the possibility of earlier identification of problems at the stage of reviewing proposed changes. ClusterFuzzLite has already been implemented in the systemd and curl project review processes, and allowed to detect errors missed by static analyzers and linters used at the initial stage of checking new code.
ClusterFuzzLite supports project validation in C, C++, Java (and other JVM-based languages), Go, Python, Rust, and Swift. Fuzzing testing is carried out using the LibFuzzer engine. The AddressSanitizer, MemorySanitizer, and UBSan (UndefinedBehaviorSanitizer) tools can also be called to detect memory errors and anomalies.
The main features of ClusterFuzzLite are: quick review of proposed changes to find errors at the stage before the code is accepted; downloading reports on crash conditions; the ability to move to more advanced fuzzing testing to identify deeper errors that did not surface after checking the code change; generation of coverage reports to assess code coverage during testing; modular architecture that allows you to choose the required functionality.
Recall that fuzzing testing generates a stream of all possible random combinations of input data that are close to real data (for example, html pages with random tag parameters, archives or images with anomalous titles, etc.), and fixes possible failures in the process. their processing. If a sequence crashes or does not match the expected response, then this behavior is highly likely to indicate a bug or vulnerability.
Source: opennet.ru