Abhishek Arya, who is currently Principal Software Engineer at Google, is one of the early members of the Google Chrome Security Team and the founder of ClusterFuzz. Together with his team, he launched OSS-Fuzz back in 2016. Since then, the open-source fuzzing engine has found over 28 000 bugs in more than 400 open-source projects.
OSS-Fuzz is a free fuzzing platform for the open-source community. It started with three primary goals in mind:
In the future, OSS-Fuzz wants to support all existing and active programming languages. So far, OSS-Fuzz already supports Python, Java (and all other JVM-based languages), C/C++, Go, and Rust.
*According to GitHut 2.0 (refers to pull requests)
OSS-Fuzz has been serving the open-source community for a while now. Thus, it has some great results to show. More than 400 open-source projects have been integrated into the OSS-Fuzz service for continuous fuzz testing.
A lot of critical open-source libraries, including curl, TensorFlow, Kubernetes, OpenSSL, etc. – are all getting fuzzed through OSS-Fuzz. To this date, OSS-Fuzz has found more than 6 000 unique security vulnerabilities and over 22 000 functional bugs. Last year, Google even scaled up their infrastructure to 100 000 CPU cores, which helps to fuzz those open-source projects tremendously.
Open-source developers can now also integrate Java projects into OSS-Fuzz. Since the release of Java support, OSS-Fuzz has already found over 50 bugs in more than 15 popular open-source Java libraries (e.g., owasp/json-sanitizer, apache/pdfbox, fasterXML/jackson). And 8 of the 50 bugs were security-critical, potentially compromising hundreds of other applications that also rely on this software.
But in the end, the success of OSS-Fuzz depends on support from the community. Therefore, we also need your help to onboard your open-source projects in OSS-Fuzz. I strongly believe that we can make open-source software even more secure if we join forces.
Abhishek Arya is one of the early members of the Google Chrome Security Team and the founder of ClusterFuzz, a highly scaled and automated fuzzing infrastructure that fuzzes Chrome, Android, and several other Google products.