ClusterFuzz is used by Google for fuzzing the Chrome Browser and serves as the fuzzing backend for OSS-Fuzz.
Google has announced that they are open sourcing its ClusterFuzz- a scalable fuzzing infrastructure which finds security and stability issues in software.
Debuted in 2011, ClusterFuzz runs on over 25,000 cores. It was developed by Google as a cloud-based tool for uncovering memory corruption bugs and the like in its Chrome browser.
Two years ago, Google began offering ClusterFuzz as a free service to open source projects through OSS-Fuzz.
“ClusterFuzz provides end-to-end automation, from bug detection, to triage (accurate deduplication, bisection), to bug reporting, and finally to automatic closure of bug reports,” Google writes in a blog post.
According to the tech giant, ClusterFuzz has found more than 16,000 bugs in Chrome and more than 11,000 bugs in over 160 open source projects.
ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day, it said.
The release of ClusterFuzz as an open source technology would enable open source projectsevelopers to integrate fuzzing into their workflows.
Why is Fuzzing required for software projects?
Google explains –
Fuzzing is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding memory corruption bugs, which often have serious security implications. Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an unsafe language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.
In order for fuzzing to be truly effective, Google says, it must be continuous, done at scale, and integrated into the development process of a software project.