2019-08-08 14:12:25 +00:00
# OSS-Fuzz: Continuous Fuzzing for Open Source Software
2016-10-25 21:31:45 +00:00
2020-07-16 22:27:29 +00:00
[Fuzz testing] is a well-known technique for uncovering programming errors in
software. Many of these detectable errors, like [buffer overflow], can have
serious security implications. Google has found [thousands] of security
vulnerabilities and stability bugs by deploying [guided in-process fuzzing of
Chrome components], and we now want to share that service with the open source
community.
[Fuzz testing]: https://en.wikipedia.org/wiki/Fuzz_testing
[buffer overflow]: https://en.wikipedia.org/wiki/Buffer_overflow
2019-08-09 19:35:14 +00:00
[thousands]: https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix& can=1
2020-07-16 22:27:29 +00:00
[guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html
2020-12-21 21:43:26 +00:00
In cooperation with the [Core Infrastructure Initiative] and the [OpenSSF],
OSS-Fuzz aims to make common open source software more secure and stable by
combining modern fuzzing techniques with scalable, distributed execution.
2022-01-19 22:24:47 +00:00
Projects that do not qualify for OSS-Fuzz (e.g. closed source) can run their own
instances of [ClusterFuzz] or [ClusterFuzzLite].
2020-07-16 22:27:29 +00:00
[Core Infrastructure Initiative]: https://www.coreinfrastructure.org/
2020-12-13 17:10:51 +00:00
[OpenSSF]: https://www.openssf.org/
2019-08-09 19:35:14 +00:00
2021-01-26 23:29:02 +00:00
We support the [libFuzzer], [AFL++], and [Honggfuzz] fuzzing engines in
2020-07-16 22:27:29 +00:00
combination with [Sanitizers], as well as [ClusterFuzz], a distributed fuzzer
execution environment and reporting tool.
2016-10-25 21:31:45 +00:00
2020-07-16 22:27:29 +00:00
[libFuzzer]: https://llvm.org/docs/LibFuzzer.html
2021-01-26 23:29:02 +00:00
[AFL++]: https://github.com/AFLplusplus/AFLplusplus
2020-07-16 22:27:29 +00:00
[Honggfuzz]: https://github.com/google/honggfuzz
[Sanitizers]: https://github.com/google/sanitizers
[ClusterFuzz]: https://github.com/google/clusterfuzz
2022-01-19 22:24:47 +00:00
[ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/
2019-08-08 14:12:25 +00:00
2021-03-22 21:17:52 +00:00
Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other languages
2020-12-21 21:43:26 +00:00
supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64 and i386
builds.
2020-07-16 22:27:29 +00:00
[LLVM]: https://llvm.org
2016-10-25 21:31:45 +00:00
2019-08-08 14:12:25 +00:00
## Overview
![OSS-Fuzz process diagram ](docs/images/process.png )
2016-12-03 04:41:47 +00:00
2019-08-08 14:36:35 +00:00
## Documentation
2020-07-16 22:27:29 +00:00
Read our [detailed documentation] to learn how to use OSS-Fuzz.
[detailed documentation]: https://google.github.io/oss-fuzz
2016-10-25 21:31:45 +00:00
2019-08-07 14:37:16 +00:00
## Trophies
2022-07-05 05:07:52 +00:00
As of July 2022, OSS-Fuzz has found over [40,500] bugs in [650] open source
2020-07-16 22:27:29 +00:00
projects.
2016-10-25 21:31:45 +00:00
2022-07-05 05:07:52 +00:00
[40,500]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=-status%3AWontFix%2CDuplicate%20-component%3AInfra& can=1
[650]: https://github.com/google/oss-fuzz/tree/master/projects
2016-10-25 21:31:45 +00:00
2019-08-07 14:37:16 +00:00
## Blog posts
2020-07-16 22:27:29 +00:00
* 2016-12-01 - [Announcing OSS-Fuzz: Continuous fuzzing for open source software]
* 2017-05-08 - [OSS-Fuzz: Five months later, and rewarding projects]
* 2018-11-06 - [A New Chapter for OSS-Fuzz]
2020-12-13 17:10:51 +00:00
* 2020-10-09 - [Fuzzing internships for Open Source Software]
* 2020-12-07 - [Improving open source security during the Google summer internship program]
2016-09-14 16:44:10 +00:00
2020-07-16 22:27:29 +00:00
[Announcing OSS-Fuzz: Continuous fuzzing for open source software]: https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html
[OSS-Fuzz: Five months later, and rewarding projects]: https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html
[A New Chapter for OSS-Fuzz]: https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html
2020-12-13 17:10:51 +00:00
[Fuzzing internships for Open Source Software]: https://security.googleblog.com/2020/10/fuzzing-internships-for-open-source.html
[Improving open source security during the Google summer internship program]: https://security.googleblog.com/2020/12/improving-open-source-security-during.html