OSS-Fuzz - continuous fuzzing for open source software.
Go to file
inferno-chromium 69b3eea9fc Update fuzzer_environment.md 2016-11-26 15:59:29 -08:00
docs Update fuzzer_environment.md 2016-11-26 15:59:29 -08:00
infra [infra] using sanitizers and name from the target 2016-11-23 12:43:12 -08:00
targets Update target.yaml 2016-11-25 15:57:47 -08:00
.gitignore Implement a helper script. 2016-09-01 16:37:12 -07:00
CONTRIBUTING Create CONTRIBUTING 2016-10-12 13:26:26 -07:00
LICENSE Create LICENSE 2016-10-03 12:24:25 -07:00
README.md Update README.md 2016-11-23 08:49:36 -08:00

README.md

OSS-Fuzz - Continuous Fuzzing for Open Source Software

Status: Beta. We are preparing the project for public release soon.

FAQ | Ideal Fuzzing Integration | New Target Guide | Reproducing Bug Reports | Targets List | Targets Issue Tracker

Create New Issue for questions or feedback about OSS-Fuzz.

Introduction

Fuzz testing is a well-known technique for uncovering various kinds of programming errors in software. Many of these detectable errors (e.g. buffer overflow) can have serious security implications.

We successfully deployed guided in-process fuzzing of Chrome components and found hundreds of security vulnerabilities and stability bugs. We now want to share the experience and the service with the open source community.

In cooperation with the Core Infrastructure Initiative, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques and scalable distributed execution.

At the first stage of the project we use libFuzzer with Sanitizers. More fuzzing engines will be added later. ClusterFuzz provides distributed fuzzer execution environment and reporting.

Process Overview

The following process is used for targets in OSS-Fuzz:

  • A maintainer of an opensource project or an outside volunteer creates one or more fuzz targets and integrates them with the project's build and test system.
  • These fuzz targets are accepted to OSS-Fuzz.
  • When ClusterFuzz finds a bug, an issue is automatically reported in the OSS-Fuzz issue tracker (example). (Why different tracker?). Project owners are CC-ed to the bug report.
  • The bug is fixed upstream.
  • ClusterFuzz automatically verifies the fix, adds a comment and closes the issue.
  • 7 days after the fix is verified or after 90 days after reporting, the issue becomes public (guidelines).

Accepting New Targets

To be accepted to OSS-Fuzz, an open-source target must have a significant user base and/or be critical to the global IT infrastructure. To submit a new target:

  • Create a pull request with new targets/<target_name>/target.yaml file (example) giving at least the following information:
    • target homepage.
    • e-mail of the engineering contact person to be CCed on new issues. This email should be
      linked to a Google Account and belong to an established target committer (according to VCS logs). If this is not you or the email address differs from VCS, an informal e-mail verification will be required.
  • Once accepted by an OSS-Fuzz project member, follow the New Target Guide to write the code.

Bug Disclosure Guidelines

Following Google's standard disclosure policy OSS-Fuzz will adhere to following disclosure principles:

  • 90-day deadline. After notifying target authors, we will open reported issues in 90 days, or 7 days after the fix is released.
  • Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
  • Grace period. We have a 14-day grace period. If a 90-day deadline expires but the upstream engineers lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.

More Documentation

Build status

This page gives the latest build logs for each target.

Trophies

This page gives a list of publically viewable (fixed) bugs found by OSS-Fuzz.

References