oss-fuzz/README.md

2.5 KiB

OSS-Fuzz - Continuous Fuzzing for Open Source Software

Introduction

Fuzz testing is a well-known technique for uncovering various kinds of programming errors in software. Many of these detectable errors (e.g. buffer overflow) can have serious security implications.

We successfully deployed guided in-process fuzzing of Chrome components and found hundreds of security vulnerabilities and stability bugs. We now want to share the experience and the service with the open source community.

In cooperation with the Core Infrastructure Initiative, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques and scalable distributed execution.

We support libFuzzer and AFL as fuzzing engines in combination with Sanitizers. ClusterFuzz provides a distributed fuzzer execution environment and reporting. You can checkout ClusterFuzz here.

Currently OSS-Fuzz supports C and C++ code (other languages supported by LLVM may work too).

Documentation

You can find detailed documentation here.

Trophies

As of August 2019, OSS-Fuzz has found ~14,000 bugs in over 200 open source projects.

Blog posts

  • 2016-12-01 (1, 2, 3)
  • 2017-05-08 (1, 2, 3)
  • 2018-11-06 (1)