Google recently announced a new step in its long term fuzzing efforts. We’re very excited to hear that they are open sourcing ClusterFuzz, an infrastructure for running multiple fuzzers on a project. It's great to see that Google is open sourcing it as it helps demonstrate the point that fuzzing can be extremely useful for organizations in finding security and denial-of-service vulnerabilities.

Diagram to show the ClusterFuzz process flow utilized by Google

Google noted that as of January 2019, ClusterFuzz has found ~16,000 bugs in Chrome and ~11,000 bugs in over 160 open source projects integrated with OSS-Fuzz.

While ClusterFuzz is language agnostic and it’s possible to add new fuzzers for new languages, fuzzing support for managed languages (such as Java) is nearly non-existent today. Managed languages, however, are subject to many of the same vulnerabilities that fuzzers detect in non-managed languages: null pointer exceptions, hangs, excessive resource utilization, unintended infinite loops.

Fuzzing technology is still massively underused today, even in mature projects. Fortunately, there is a growing research community behind it. Large organizations have understood its benefits and are backing this effort, which is exciting to see.