2019-08-08 14:12:25 +00:00
# OSS-Fuzz: Continuous Fuzzing for Open Source Software
2016-10-25 21:31:45 +00:00
[Fuzz testing ](https://en.wikipedia.org/wiki/Fuzz_testing ) is a well-known
2019-08-08 14:12:25 +00:00
technique for uncovering programming errors in software.
2019-08-09 19:35:14 +00:00
Many of these detectable errors, like [buffer overflow ](https://en.wikipedia.org/wiki/Buffer_overflow ), can have serious security implications. Google has found [thousands] of security vulnerabilities and stability bugs by deploying [guided in-process fuzzing of Chrome components ](https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html ),
2019-08-09 19:24:43 +00:00
and we now want to share that service with the open source community.
2016-11-19 00:47:25 +00:00
2019-08-09 19:35:14 +00:00
[thousands]: https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix& can=1
2016-11-23 16:35:07 +00:00
In cooperation with the [Core Infrastructure Initiative ](https://www.coreinfrastructure.org/ ),
OSS-Fuzz aims to make common open source software more secure and stable by
2019-08-08 14:12:25 +00:00
combining modern fuzzing techniques with scalable,
2016-11-19 00:47:25 +00:00
distributed execution.
2016-10-25 21:31:45 +00:00
2019-08-08 14:12:25 +00:00
We support the [libFuzzer ](http://llvm.org/docs/LibFuzzer.html ) and [AFL ](http://lcamtuf.coredump.cx/afl/ ) fuzzing engines
in combination with [Sanitizers ](https://github.com/google/sanitizers ), as well as
[ClusterFuzz ](https://github.com/google/clusterfuzz ),
a distributed fuzzer execution environment and reporting tool.
2019-08-19 21:07:33 +00:00
Currently, OSS-Fuzz supports C/C++, Rust, and Go code. Other languages supported by [LLVM ](http://llvm.org ) may work too.
OSS-Fuzz supports fuzzing x86_64 and i386 builds.
2016-10-25 21:31:45 +00:00
2019-08-08 14:12:25 +00:00
## Overview
![OSS-Fuzz process diagram ](docs/images/process.png )
2016-12-03 04:41:47 +00:00
2019-08-08 14:36:35 +00:00
## Documentation
2019-08-08 14:12:25 +00:00
Read our [detailed documentation ](https://google.github.io/oss-fuzz ) to learn how to use OSS-Fuzz.
2016-10-25 21:31:45 +00:00
2019-08-07 14:37:16 +00:00
## Trophies
2020-01-13 01:14:20 +00:00
As of January 2020, OSS-Fuzz has found over [16,000] bugs in [250] open source projects.
2016-10-25 21:31:45 +00:00
2020-01-13 01:14:20 +00:00
[16,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=-status%3AWontFix%2CDuplicate%20-component%3AInfra& can=1
[250]: https://github.com/google/oss-fuzz/tree/master/projects
2016-10-25 21:31:45 +00:00
2019-08-07 14:37:16 +00:00
## Blog posts
2016-09-14 16:44:10 +00:00
2019-08-15 22:08:51 +00:00
* 2016-12-01 - [Announcing OSS-Fuzz: Continuous fuzzing for open source software ](https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html )
2019-08-15 22:07:23 +00:00
* 2017-05-08 - [OSS-Fuzz: Five months later, and rewarding projects ](https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html )
* 2018-11-06 - [A New Chapter for OSS-Fuzz ](https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html )
2016-10-06 21:02:52 +00:00