2016-11-23 16:35:07 +00:00
# OSS-Fuzz - Continuous Fuzzing for Open Source Software
2016-09-14 16:44:10 +00:00
2017-02-08 03:15:53 +00:00
> *Status*: Beta. We are now accepting applications from widely-used open source projects.
2016-09-14 16:44:10 +00:00
2016-10-25 23:36:29 +00:00
[FAQ ](docs/faq.md )
2016-11-19 00:58:20 +00:00
| [Ideal Fuzzing Integration ](docs/ideal_integration.md )
2016-11-29 18:57:46 +00:00
| [New Project Guide ](docs/new_project_guide.md )
2016-11-29 21:25:25 +00:00
| [Reproducing Bugs ](docs/reproducing.md )
| [Projects ](projects )
2016-11-29 18:57:46 +00:00
| [Projects Issue Tracker ](https://bugs.chromium.org/p/oss-fuzz/issues/list )
2016-11-29 21:22:57 +00:00
| [Glossary ](docs/glossary.md )
2016-10-17 19:59:36 +00:00
2016-10-25 21:36:06 +00:00
2016-11-21 22:01:10 +00:00
[Create New Issue ](https://github.com/google/oss-fuzz/issues/new ) for questions or feedback about OSS-Fuzz.
2016-10-25 21:33:39 +00:00
2016-11-21 21:48:02 +00:00
## Introduction
2016-10-25 21:31:45 +00:00
[Fuzz testing ](https://en.wikipedia.org/wiki/Fuzz_testing ) is a well-known
2016-11-19 00:50:54 +00:00
technique for uncovering various kinds of programming errors in software.
2016-11-23 16:35:07 +00:00
Many of these detectable errors (e.g. [buffer overflow ](https://en.wikipedia.org/wiki/Buffer_overflow )) can have serious security implications.
2016-10-25 21:31:45 +00:00
2016-11-19 00:47:25 +00:00
We successfully deployed
[guided in-process fuzzing of Chrome components ](https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html )
2016-11-23 16:35:07 +00:00
and found [hundreds ](https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-status%3ADuplicate%2CWontFix ) of security vulnerabilities and stability bugs. We now want to share the experience and the service with the open source community.
2016-11-19 00:47:25 +00:00
2016-11-23 16:35:07 +00:00
In cooperation with the [Core Infrastructure Initiative ](https://www.coreinfrastructure.org/ ),
OSS-Fuzz aims to make common open source software more secure and stable by
2016-11-19 00:47:25 +00:00
combining modern fuzzing techniques and scalable
distributed execution.
2016-10-25 21:31:45 +00:00
2016-11-19 00:47:25 +00:00
At the first stage of the project we use
[libFuzzer ](http://llvm.org/docs/LibFuzzer.html ) with
[Sanitizers ](https://github.com/google/sanitizers ). More fuzzing engines will be added later.
[ClusterFuzz ](docs/clusterfuzz.md )
2017-02-08 03:15:53 +00:00
provides a distributed fuzzer execution environment and reporting.
2016-10-25 21:31:45 +00:00
2016-12-03 04:41:47 +00:00
Currently OSS-Fuzz supports C and C++ code (other languages supported by [LLVM ](http://llvm.org ) may work too).
2016-10-25 21:31:45 +00:00
## Process Overview
2017-03-16 02:17:07 +00:00
![diagram ](docs/images/process.png?raw=true )
2017-02-10 18:27:14 +00:00
2016-11-29 18:57:46 +00:00
The following process is used for projects in OSS-Fuzz:
2016-10-25 21:31:45 +00:00
2016-11-18 23:48:16 +00:00
- A maintainer of an opensource project or an outside volunteer creates
2016-11-21 21:53:40 +00:00
one or more [fuzz targets ](http://libfuzzer.info/#fuzz-target )
and [integrates ](docs/ideal_integration.md ) them with the project's build and test system.
2016-12-03 01:15:57 +00:00
- The project is [accepted to OSS-Fuzz ](#accepting-new-projects ).
2016-11-18 23:48:16 +00:00
- When [ClusterFuzz ](docs/clusterfuzz.md ) finds a bug, an issue is automatically
2016-11-18 23:50:54 +00:00
reported in the OSS-Fuzz [issue tracker ](https://bugs.chromium.org/p/oss-fuzz/issues/list )
([example](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9)).
2017-02-08 03:15:53 +00:00
([Why use a different tracker?](docs/faq.md#why-do-you-use-a-different-issue-tracker-for-reporting-bugs-in-oss-projects)).
2016-11-18 23:52:12 +00:00
Project owners are CC-ed to the bug report.
2017-01-05 21:41:57 +00:00
- The project developer fixes the bug upstream and credits OSS-Fuzz for the discovery (commit message should contain
the string ** 'Credit to OSS-Fuzz'**).
2016-11-27 02:22:14 +00:00
- [ClusterFuzz ](docs/clusterfuzz.md ) automatically verifies the fix, adds a comment and closes the issue ([example](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53#c3)).
2017-03-03 22:21:37 +00:00
- 30 days after the fix is verified or 90 days after reporting (whichever is earlier), the issue becomes *public*
2016-11-23 16:35:07 +00:00
([guidelines](#bug-disclosure-guidelines)).
2016-11-18 23:48:16 +00:00
2016-11-22 19:48:48 +00:00
<!-- NOTE: this anchor is referenced by oss - fuzz blog post -->
2016-11-29 18:57:46 +00:00
## Accepting New Projects
2016-10-25 21:31:45 +00:00
2016-11-29 18:57:46 +00:00
To be accepted to OSS-Fuzz, an open-source project must
2016-10-26 01:34:38 +00:00
have a significant user base and/or be critical to the global IT infrastructure.
2016-11-29 18:57:46 +00:00
To submit a new project:
2016-11-23 16:43:15 +00:00
- [Create a pull request ](https://help.github.com/articles/creating-a-pull-request/ ) with new
2016-12-01 20:46:20 +00:00
`projects/<project_name>/project.yaml` file ([example](projects/libarchive/project.yaml)) giving at least the following information:
2016-11-29 18:57:46 +00:00
* project homepage.
2017-08-17 19:55:09 +00:00
* e-mail of the engineering contact person to be CCed on new issues. It should:
* belong to an established project committer (according to VCS logs). If this is not you or the email address differs from VCS, an informal e-mail verification will be required.
2017-08-17 20:04:44 +00:00
* be associated with a Google account ([why?](docs/faq.md#why-do-you-require-a-google-account-for-authentication)). If you use an alternate email address [linked to a Google Account ](https://support.google.com/accounts/answer/176347?hl=en ), it will ONLY give you access to filed bugs in [issue tracker ](https://bugs.chromium.org/p/oss-fuzz/issues/list ) and NOT to [ClusterFuzz ](clusterfuzz.md ) dashboard (due to appengine api limitations).
2016-12-01 20:40:43 +00:00
* Note that `project_name` can only contain alphanumeric characters, underscores(_) or dashes(-).
2016-11-29 18:57:46 +00:00
- Once accepted by an OSS-Fuzz project member, follow the [New Project Guide ](docs/new_project_guide.md )
2017-02-08 03:15:53 +00:00
to configure your project.
2016-10-25 21:31:45 +00:00
2016-10-26 01:39:20 +00:00
## Bug Disclosure Guidelines
2016-10-25 21:31:45 +00:00
2016-11-23 16:35:07 +00:00
Following [Google's standard disclosure policy ](https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html )
2016-11-16 18:12:37 +00:00
OSS-Fuzz will adhere to following disclosure principles:
2017-03-03 22:17:27 +00:00
- **Deadline**. After notifying project authors, we will open reported
issues to the public in 90 days, or 30 days after the fix is released
(whichever comes earlier).
2017-01-24 20:24:15 +00:00
- **Weekends and holidays**. If a deadline is due to expire on a weekend,
the deadline will be moved to the next normal work day.
2016-11-23 16:35:07 +00:00
- **Grace period**. We have a 14-day grace period. If a 90-day deadline
2016-11-30 18:43:22 +00:00
expires but the upstream engineers let us know before the deadline that a
2016-10-25 21:31:45 +00:00
patch is scheduled for release on a specific day within 14 days following
the deadline, the public disclosure will be delayed until the availability
of the patch.
2016-11-19 00:08:25 +00:00
## More Documentation
2016-09-14 16:44:10 +00:00
2016-11-29 21:18:18 +00:00
* [Glossary ](docs/glossary.md ) describes the common terms used in OSS-Fuzz.
2016-11-29 18:57:46 +00:00
* [New Project Guide ](docs/new_project_guide.md ) walks through the steps necessary to add new projects to OSS-Fuzz.
2016-11-23 16:35:07 +00:00
* [Ideal Integration ](docs/ideal_integration.md ) describes the steps to integrate fuzz targets with your project.
2016-12-06 23:13:03 +00:00
* [Accessing corpora ](docs/corpora.md ) describes how to access the corpora we use for fuzzing.
2016-11-07 21:08:44 +00:00
* [Fuzzer execution environment ](docs/fuzzer_environment.md ) documents the
environment under which your fuzzers will be run.
2017-02-08 03:15:53 +00:00
* [Projects ](projects ) lists OSS projects currently analyzed by OSS-Fuzz.
2016-10-19 17:53:00 +00:00
* [Chrome's Efficient Fuzzer Guide ](https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/HEAD/efficient_fuzzer.md )
2017-02-08 03:15:53 +00:00
while containing some Chrome-specific bits, is an excellent guide to making your fuzzer better.
2017-05-09 02:32:16 +00:00
* Blog posts:
* 2016-12-01 ([1](https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html),
2016-12-02 23:44:43 +00:00
[2 ](https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html ),
[3 ](https://security.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html ))
2017-05-09 02:32:16 +00:00
* 2017-05-08 ([1](https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html),
[2 ](https://testing.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html ),
[3 ](https://security.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html ))
2016-09-14 16:44:10 +00:00
2016-11-27 02:30:49 +00:00
## Build Status
2017-04-18 18:47:44 +00:00
[This page ](https://oss-fuzz-build-logs.storage.googleapis.com/index.html )
2016-11-29 18:57:46 +00:00
gives the latest build logs for each project.
2016-10-08 01:28:27 +00:00
2016-10-26 03:44:34 +00:00
## Trophies
2016-10-06 21:02:52 +00:00
2016-10-26 03:44:34 +00:00
[This page ](https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=status%3AFixed%2CVerified+Type%3ABug%2CBug-Security+-component%3AInfra+ )
2017-02-08 03:15:53 +00:00
gives a list of publicly-viewable fixed bugs found by OSS-Fuzz.
2016-10-06 21:02:52 +00:00
2016-09-14 16:44:10 +00:00
## References
2016-10-17 23:40:10 +00:00
* [libFuzzer documentation ](http://libfuzzer.info )
* [libFuzzer tutorial ](http://tutorial.libfuzzer.info )
2017-01-16 20:15:30 +00:00
* [libFuzzer workshop ](https://github.com/Dor1s/libfuzzer-workshop )
2016-10-19 17:52:02 +00:00
* [Chromium Fuzzing Page ](https://chromium.googlesource.com/chromium/src/testing/libfuzzer/ )
2016-11-23 16:43:15 +00:00
* [ClusterFuzz ](https://blog.chromium.org/2012/04/fuzzing-for-security.html )
2016-09-14 16:44:10 +00:00