Continuous fuzzing with ClusterFuzzLite

In the world of software application development, fuzzing is designed to find bugs. 

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. 

The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. 

Generally, a fuzzer will determine it has found a bug by detecting an application crash. Many potential interesting security bugs don’t necessarily cause a normal application to crash immediately.

By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. 

Typically, fuzzers are used to test programs that take structured inputs. 

GitHub has more on fuzzing here.

Google developers Jonathan Metzman, Oliver Chang and Michael Winser argue that in recent years, continuous fuzzing has become an essential part of the software development lifecycle. 

NIST’s guidelines for software verification specify fuzzing among the minimum standard requirements for code verification.

This month, the Google developers are able to announce ClusterFuzzLite, a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities. 

“With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed, enhancing the overall security of the software supply chain,” say the team.

Since its release in 2016, over 500 critical open source projects have integrated into Google’s OSS-Fuzz program, resulting in over 6,500 vulnerabilities and 21,000 functional bugs being fixed. ClusterFuzzLite goes hand-in-hand with OSS-Fuzz, by catching regression bugs much earlier in the development process.

According to Metzman, Chang and Winser, “Large projects including systemd and curl are already using ClusterFuzzLite during code review, with positive results.”

According to Daniel Stenberg, author of curl, “When the human reviewers nod and have approved the code and your static code analyzers and linters can’t detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”   

With the release of ClusterFuzzLite, any project can integrate this essential testing standard and benefit from fuzzing. 

“ClusterFuzzLite offers many of the same features as ClusterFuzz, such as continuous fuzzing, sanitizer support, corpus management, and coverage report generation. Most importantly, it’s easy to set up and works with closed source projects, making ClusterFuzzLite a convenient option for any developer who wants to fuzz their software,” said Metzman, Chang and Winser.

The takeaway here is that with ClusterFuzzLite, fuzzing is no longer just an idealised ‘bonus’ round of testing for those who have access to it, but a critical must-have step that everyone can use continuously on every software project.