Recent years have seen increasing alarm about the scale of data breaches and the vulnerability of key internet infrastructure. The Heartbleed bugs discovered in OpenSSL in 2014, followed by Stagefright in the Android operating system, revealed the scale of the danger. Legislative moves in the US and UK to oblige network operators to provide deliberate back doors, have fuelled fears that even governments fail to understand the risks. A survey by network security company Tenable in 2015 reported that cyber-security professionals are more sceptical than ever of their ability to secure the cloud from an “overwhelming cyber-threat environment”.
Here comes the Fuzz.
Much of the infrastructure being open source, Google teamed up with Core Infrastructure Initiative, (itself backed by companies like Amazon, Cisco, Google, HP, IBM and Fujitsu via the Linux Foundation) to develop tools to close down as many bugs as possible. The new service, dubbed OSS-Fuzz, is one of the outcomes.
The fuzzing method consists essentially of a brute force approach, utilising Google’s resources to continuously batter architectures with a vast array of malformed inputs within massively distributed environments. The method isn’t new in itself (libFuzzer, one of several engines used in OSS-Fuzz, is already used to test Chrome) but their systematic and continual application to the global infrastructure, rather than to the testing of a single application, is what sets the initiative apart.
How secure are you?
OSS-Fuzz is only available so far for critical infrastructure testing, not to individual enterprises and developers, who therefore need their own software testing services. A crowd-sourced testing provider is able to do much that Google is doing and examine how systems function on the vast range of devices and operating environments in the real world. For example, see https://www.bugfinders.com.
Black Duck software say that there’s a 98% chance your code base contains unreported and untracked open source – https://www.blackducksoftware.com/. In their survey, 50% of companies admitted they had no processes to track their use of open source code, let alone to approve its use.
Google’s operation is still in Beta but has already identified bugs in several key software architectures including sqlite3, the most used database engine in the world, ffmpeg, used for media streaming, pcre2, a component of Perl, and libarchive, a component in compression software.