2016-11-16 17:56:10 +00:00
|
|
|
# OSS-Fuzz - continuous fuzzing of open source software
|
2016-09-14 16:44:10 +00:00
|
|
|
|
2016-11-19 00:49:06 +00:00
|
|
|
> *Status*: Beta. We are preparing the project for public release. We are polishing the documentation and the process.
|
2016-09-14 16:44:10 +00:00
|
|
|
|
2016-10-25 23:36:29 +00:00
|
|
|
[FAQ](docs/faq.md)
|
2016-11-19 00:58:20 +00:00
|
|
|
| [Ideal Fuzzing Integration](docs/ideal_integration.md)
|
2016-10-26 18:16:30 +00:00
|
|
|
| [New Target Guide](docs/new_target.md)
|
2016-10-26 18:49:53 +00:00
|
|
|
| [Reproducing](docs/reproducing.md)
|
2016-11-19 01:01:09 +00:00
|
|
|
| [All Targets](targets)
|
2016-11-04 23:03:00 +00:00
|
|
|
| [Targets issue tracker](https://bugs.chromium.org/p/oss-fuzz/issues/list)
|
2016-10-17 19:59:36 +00:00
|
|
|
|
2016-10-25 21:36:06 +00:00
|
|
|
|
|
|
|
[Create New Issue](https://github.com/google/oss-fuzz/issues/new) for questions or feedback.
|
2016-10-25 21:33:39 +00:00
|
|
|
|
2016-11-19 00:47:25 +00:00
|
|
|
## Why OSS-Fuzz?
|
2016-10-25 21:31:45 +00:00
|
|
|
|
|
|
|
[Fuzz testing](https://en.wikipedia.org/wiki/Fuzz_testing) is a well-known
|
2016-11-19 00:50:54 +00:00
|
|
|
technique for uncovering various kinds of programming errors in software.
|
|
|
|
Many detectable errors (e.g. buffer overruns) have real security implications.
|
2016-10-25 21:31:45 +00:00
|
|
|
|
2016-11-19 00:47:25 +00:00
|
|
|
We successfully deployed
|
|
|
|
[guided in-process fuzzing of Chrome components](https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html)
|
|
|
|
and now want to share the experience and the service with the openssource community.
|
|
|
|
|
|
|
|
OSS-Fuzz aims to make common open source software more secure by
|
|
|
|
combining modern fuzzing techniques and scalable
|
|
|
|
distributed execution.
|
2016-10-25 21:31:45 +00:00
|
|
|
|
2016-11-19 00:47:25 +00:00
|
|
|
At the first stage of the project we use
|
|
|
|
[libFuzzer](http://llvm.org/docs/LibFuzzer.html) with
|
|
|
|
[Sanitizers](https://github.com/google/sanitizers). More fuzzing engines will be added later.
|
|
|
|
[ClusterFuzz](docs/clusterfuzz.md)
|
|
|
|
provides distributed fuzzer execution environment and reporting.
|
2016-10-25 21:31:45 +00:00
|
|
|
|
|
|
|
## Process Overview
|
|
|
|
|
2016-11-16 17:56:10 +00:00
|
|
|
The following process is used for targets in OSS-Fuzz:
|
2016-10-25 21:31:45 +00:00
|
|
|
|
2016-11-18 23:48:16 +00:00
|
|
|
- A maintainer of an opensource project or an outside volunteer creates
|
|
|
|
one or more [Fuzz Target](http://libfuzzer.info/#fuzz-target)
|
|
|
|
and [integrates](docs/ideal_integration.md) it with the project's build and test system.
|
|
|
|
- These targets are [accepted to OSS-Fuzz](docs/new_target.md).
|
|
|
|
- When [ClusterFuzz](docs/clusterfuzz.md) finds a bug, an issue is automatically
|
2016-11-18 23:50:54 +00:00
|
|
|
reported in the OSS-Fuzz [issue tracker](https://bugs.chromium.org/p/oss-fuzz/issues/list)
|
|
|
|
([example](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9)).
|
2016-11-18 23:48:16 +00:00
|
|
|
([Why different tracker?](docs/faq.md#why-do-you-use-a-different-issue-tracker-for-reportig-bugs-in-fuzz-targets)).
|
2016-11-18 23:52:12 +00:00
|
|
|
Project owners are CC-ed to the bug report.
|
2016-11-18 23:48:16 +00:00
|
|
|
- The bug is fixed upstream.
|
|
|
|
- [ClusterFuzz](docs/clusterfuzz.md) automatically verifies the fix, adds a comment and closes the issue.
|
|
|
|
- 7 days after the fix is verified or after 90 days after reporting, the issue becomes *public*
|
|
|
|
([exact guidelines](#bug-disclosure-guidelines)).
|
|
|
|
|
2016-10-25 21:31:45 +00:00
|
|
|
|
|
|
|
## Accepting New Targets
|
|
|
|
|
2016-11-16 18:12:37 +00:00
|
|
|
In order to be accepted to OSS-Fuzz, an open-source target must
|
2016-10-26 01:34:38 +00:00
|
|
|
have a significant user base and/or be critical to the global IT infrastructure.
|
2016-10-25 21:31:45 +00:00
|
|
|
|
2016-11-16 18:12:37 +00:00
|
|
|
To submit a new target to OSS-Fuzz:
|
2016-10-26 18:47:04 +00:00
|
|
|
- create a pull request with a change to [targets/README.md](targets/README.md) providing the following information:
|
2016-10-27 21:05:31 +00:00
|
|
|
* target home site and details
|
2016-10-25 21:31:45 +00:00
|
|
|
* source code repository location
|
2016-10-27 21:05:31 +00:00
|
|
|
* a link to target security issue reporting process *OR*
|
2016-10-25 21:31:45 +00:00
|
|
|
* an e-mail of the engineering contact person to be CCed on issue. This
|
2016-11-18 16:32:07 +00:00
|
|
|
has to be an e-mail
|
|
|
|
[linked to a Google Account](https://support.google.com/accounts/answer/176347?hl=en)
|
|
|
|
that belongs to an
|
2016-10-27 21:05:31 +00:00
|
|
|
established target committer (according to VCS logs).
|
2016-10-25 22:01:11 +00:00
|
|
|
If this is not you or address differs from VCS, an informal e-mail verification will be required.
|
2016-10-25 23:52:27 +00:00
|
|
|
This e-mail will also be publicly listed in our [Targets](targets/README.md)
|
2016-10-25 21:31:45 +00:00
|
|
|
page.
|
2016-11-16 18:12:37 +00:00
|
|
|
- once accepted by an OSS-Fuzz project member, follow the [New Target Guide](docs/new_target.md)
|
2016-10-25 21:31:45 +00:00
|
|
|
to write the code.
|
|
|
|
|
|
|
|
|
2016-10-26 01:39:20 +00:00
|
|
|
## Bug Disclosure Guidelines
|
2016-10-25 21:31:45 +00:00
|
|
|
|
|
|
|
Following Google's standard [disclosure policy](https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html)
|
2016-11-16 18:12:37 +00:00
|
|
|
OSS-Fuzz will adhere to following disclosure principles:
|
2016-10-25 23:36:29 +00:00
|
|
|
- **90-day deadline**. After notifying target authors, we will open reported
|
2016-11-19 01:00:15 +00:00
|
|
|
issues in 90 days, or 7 days after the fix is released.
|
2016-10-25 21:31:45 +00:00
|
|
|
- **Weekends and holidays**. If a deadline is due to expire on a weekend or
|
|
|
|
US public holiday, the deadline will be moved to the next normal work day.
|
|
|
|
- **Grace period**. We will have a 14-day grace period. If a 90-day deadline
|
2016-10-25 23:36:29 +00:00
|
|
|
will expire but upstream engineers let us know before the deadline that a
|
2016-10-25 21:31:45 +00:00
|
|
|
patch is scheduled for release on a specific day within 14 days following
|
|
|
|
the deadline, the public disclosure will be delayed until the availability
|
|
|
|
of the patch.
|
|
|
|
|
2016-11-19 00:08:25 +00:00
|
|
|
## More Documentation
|
2016-09-14 16:44:10 +00:00
|
|
|
|
2016-11-16 18:12:37 +00:00
|
|
|
* [New Target Guide](docs/new_target.md) walks through steps necessary to add new targets to OSS-Fuzz.
|
2016-11-18 23:48:16 +00:00
|
|
|
* [Ideal Integration](docs/ideal_integration.md) describes the ideal way to integrate fuzz targets with your project.
|
2016-09-27 18:59:07 +00:00
|
|
|
* [Running and Building Fuzzers](docs/building_running_fuzzers.md) documents the process for fuzzers that are
|
2016-10-27 21:05:31 +00:00
|
|
|
*part of target* source code repository.
|
2016-09-27 18:59:07 +00:00
|
|
|
* [Running and Building External Fuzzers](docs/building_running_fuzzers_external.md) documents the process for fuzzers that are
|
2016-11-16 18:12:37 +00:00
|
|
|
*part of OSS-Fuzz* source code repository.
|
2016-11-07 21:08:44 +00:00
|
|
|
* [Fuzzer execution environment](docs/fuzzer_environment.md) documents the
|
|
|
|
environment under which your fuzzers will be run.
|
2016-11-16 18:12:37 +00:00
|
|
|
* [Targets List](targets/README.md) lists OSS targets added to OSS-Fuzz.
|
2016-10-19 17:53:00 +00:00
|
|
|
* [Chrome's Efficient Fuzzer Guide](https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/HEAD/efficient_fuzzer.md)
|
|
|
|
while contains some chrome-specifics, is an excellent documentation on making your fuzzer better.
|
2016-09-14 16:44:10 +00:00
|
|
|
|
2016-10-08 01:28:27 +00:00
|
|
|
## Build status
|
2016-10-26 03:39:39 +00:00
|
|
|
[This page](https://oss-fuzz-build-logs.storage.googleapis.com/status.html)
|
|
|
|
gives the latest build logs for each target.
|
2016-10-08 01:28:27 +00:00
|
|
|
|
2016-10-26 03:44:34 +00:00
|
|
|
## Trophies
|
2016-10-06 21:02:52 +00:00
|
|
|
|
2016-10-26 03:44:34 +00:00
|
|
|
[This page](https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=status%3AFixed%2CVerified+Type%3ABug%2CBug-Security+-component%3AInfra+)
|
2016-11-16 18:12:37 +00:00
|
|
|
gives a list of publically viewable (fixed) bugs found by OSS-Fuzz.
|
2016-10-06 21:02:52 +00:00
|
|
|
|
2016-09-14 16:44:10 +00:00
|
|
|
## References
|
2016-10-17 23:40:10 +00:00
|
|
|
* [libFuzzer documentation](http://libfuzzer.info)
|
|
|
|
* [libFuzzer tutorial](http://tutorial.libfuzzer.info)
|
2016-10-19 17:52:02 +00:00
|
|
|
* [Chromium Fuzzing Page](https://chromium.googlesource.com/chromium/src/testing/libfuzzer/)
|
2016-09-14 16:44:10 +00:00
|
|
|
|