Google recently announced a new step in its long term fuzzing efforts. We’re very excited to hear that they are open sourcing ClusterFuzz, an infrastructure for running multiple fuzzers on a project. It's great to see that Google is open sourcing it as it helps demonstrate the point that fuzzing can be extremely useful for organizations in finding security and denial-of-service vulnerabilities.
Google noted that as of January 2019, ClusterFuzz has found ~16,000 bugs in Chrome and ~11,000 bugs in over 160 open source projects integrated with OSS-Fuzz.
While ClusterFuzz is language agnostic and it’s possible to add new fuzzers for new languages, fuzzing support for managed languages (such as Java) is nearly non-existent today. Managed languages, however, are subject to many of the same vulnerabilities that fuzzers detect in non-managed languages: null pointer exceptions, hangs, excessive resource utilization, unintended infinite loops.
At Diffblue we have combined multiple dynamic code analysis techniques (including fuzzing) into a tool for testing of large web services. Diffblue Microservice Testing’s main value is its capacity to find nasty corner cases without having to wait for QA or canary deployment.
We recently gave Diffblue Microservice Testing 24 hours to generate tests for a large Java service (Apache Solr, 288 KLOC) and it produced 36% coverage in 7 pre-selected packages. More importantly, it found more than 70 unique ways to crash the server response (mainly null pointer exceptions, some of which are starting to get fixed by the Solr developers). Check the full details on our work on Apache Solr.
Fuzzing technology is still massively underused today, even in mature projects. Fortunately, there is a growing research community behind it. Large organizations have understood its benefits and are backing this effort, which is exciting to see.
Source for ClusterFuzz numbers: Google blog.