Recently Google unveiled via a blog post the ClusterFuzzLite project, which allows organizing fuzzing tests of code for the early detection of potential vulnerabilities in the operation stage of continuous integration systems.
Currently, ClusterFuzz can be used to automate fuzz testing of pull requests in GitHub Actions, Google Cloud Build and Prow, but it is expected that in the future it will be compatible with other IC systems. The project is based on the ClusterFuzz platform, created to coordinate the work of fuzzing test clusters, and is distributed under the Apache 2.0 license.
It should be noted that after the introduction of the OSS-Fuzz service by Google in 2016, more than 500 major open source projects were accepted into the continuous fuzzing testing program. From the checks carried out, more than 6.500 confirmed vulnerabilities have been eliminated and more than 21.000 errors have been corrected.
About ClusterFuzzLite
ClusterFuzzLite continues to develop fuzzing test mechanisms with the ability to identify issues earlier in the peer review phase of proposed changes. ClusterFuzzLite has already been introduced in the change review processes in systemd and curl projects, and it has made it possible to identify the errors that were not detected in the static analyzers and linters that were used in the initial stage of verification of new code.
Today, we are pleased to announce ClusterFuzzLite, a continuous fuzzing solution that runs as part of CI / CD workflows to find vulnerabilities faster than ever. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are made, improving the overall security of the software supply chain.
Since its launch in 2016, more than 500 critical open source projects have been integrated into Google's OSS-Fuzz program, resulting in the correction of more than 6.500 vulnerabilities and 21.000 functional bugs. ClusterFuzzLite goes hand in hand with OSS-Fuzz, detecting regression errors much earlier in the development process.
ClusterFuzzLite supports project validation in C, C ++, Java (and other JVM-based languages), Go, Python, Rust, and Swift. The fuzzing tests are carried out using the LibFuzzer engine. The AddressSanitizer, MemorySanitizer and UBSan (UndefinedBehaviorSanitizer) tools can also be called to detect memory errors and anomalies.
Of the key features ClusterFuzzLite highlights for example the quick verification of proposed changes to find errors in the stage prior to the acceptance of the code, as well as the download of reports on the conditions of occurrence of crashes, the ability to move to more advanced fuzzing tests to identify deeper errors that did not appear after verifying the code change, also the generation of coverage reports to evaluate the coverage of the code during the tests and the modular architecture that allows you to choose the required functionality.
Large projects including systemd and curlya are using ClusterFuzzLite during code review, with positive results. According to Daniel Stenberg, author of curl, “When human reviewers agree and have approved the code and their static code analyzers and linters can't detect any more problems, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, all day, every day and at every engagement.
We must remember that fuzzing tests generate a stream of all kinds of random combinations of input data close to the actual data (for example, html pages with random tag parameters, files or images with abnormal headers, etc.) and correct possible failures in the process.
If any sequence fails or does not match the expected response, this behavior most likely indicates a bug or vulnerability.
Finally if you are interested in knowing more about it, you can check the details In the following link.