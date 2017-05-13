Google Found Over 1,000 Bugs In 47 Open Source Projects (helpnetsecurity.com) 18
Orome1 writes: In the last five months, Google's OSS-Fuzz program has unearthed over 1,000 bugs in 47 open source software projects... So far, OSS-Fuzz has found a total of 264 potential security vulnerabilities: 7 in Wireshark, 33 in LibreOffice, 8 in SQLite 3, 17 in FFmpeg -- and the list goes on...
Google launched the program in December and wants more open source projects to participate, so they're offering cash rewards for including "fuzz" targets for testing in their software. "Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration" -- or twice that amount, if the proceeds are donated to a charity.
Google launched the program in December and wants more open source projects to participate, so they're offering cash rewards for including "fuzz" targets for testing in their software. "Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration" -- or twice that amount, if the proceeds are donated to a charity.
Profit! (Score:4, Funny)
1) Create some horribly insecure OSS software
2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90%
3) Integrate Google fuzz, report self and payout to, er, "charity"
4) PROFIT!
Re: (Score:2)
From TFA (in case anyone was wondering about the criteria):
"To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure."
Re: (Score:2)
1.5) Get the OSS community to rely on your software on a daily basis.
Re: (Score:2)
>> or twice that amount ($40K), if the proceeds are donated to a charity. 1) Create some horribly insecure OSS software 2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90% 3) Integrate Google fuzz, report self and payout to, er, "charity" 4) PROFIT!
You forgot step 1.5: "Get horribly insecure OSS software to be used by a large number of people and/or be critical to global I/T infrastructure".
Great news! (Score:3, Insightful)
Re: (Score:2)
If you haven't done this for your projects, fuzz testing is an awesome stability and security test for any sort of input parser.
I maintain a small open source project (that no one but me uses, but hey, it's there if people want), and I found several bugs in the parser with my fuzz tests. I just wrote a *very* simple test myself using basic mutation techniques (randomly altering samples of valid input data), and it was still pretty effective.
I'm looking forward to hearing about further positive results from
Thank you Google (Score:1)
Thank you, this shows again the advantage of open source free software. Now all communities can start fixing the bugs. There is no security by obscurity, or it's just a false misperception, possible like with proprietary software.
Re: (Score:2)
https://github.com/google/oss-fuzz/
>> Currently OSS-Fuzz supports C and C++ code (other languages supported by LLVM may work too).
>> We (did) fuzzing of Chrome components...now want to share the...service with the open source community.
Re: (Score:2)
Isn't it interesting how it takes a multi-billion dollar closed-source development company to clean up the security messes left by open source software?
Isn't it interesting how it takes an unpaid outfit to expose the hacks of a multi-billion dollar closed state-sponsored terrorist agency taking advantage of the security messes of multi-billlion dollar closed source development companies?
Re: (Score:2)
Ever heard of valgrind?
scan-build?
libasan?
surprised (Score:1)
I'm surprised they found so few in libreoffice compared to sqlite. Sqlite has the most extensive unit tests I've ever seen in my life. and LibreOffice is just so huge relative to it. I guess that goes to saying they're doing a pretty good job.
Re: (Score:2)
The SQLite developers were also surprised by how many bugs OSS-Fuzz (and American Fuzzy Lop [coredump.cx]) have found in SQLite.
The best explanation I have is that OSS-Fuzz and AFL are exploring extreme corner-cases of the code where human-generated tests would never think to go. Fuzzing is great for finding bugs that involve totally unreasonable inputs that never happen in actual practice and which can only appear as part of a deliberate attack. Fuzzing has not found any bugs that would impact the day-to-day use of
What does this do (Score:2)
What does this do that libasan and clang's scan-build don't?
What value is google providing? (Score:2)
It seems all Google is doing is executing LibFuzzer. I'm unsure what value Google is bringing to the table here other than public attention whoring. They demand you give their bot credit for finding vulnerabilities. What about giving credit to the people who actually wrote the software?