Categories: InfoSec News

Google urges open source community to fuzz test code

Published by
RiSec.n0tst3

Google’s open source security team says OSS-Fuzz, its community fuzzing service, has helped fix more than 8,000 security vulnerabilities and 26,000 other bugs in open source projects since its 2016 debut.

We’ll even get our chequebook out, web giant says

And the group would like to see open source developers do more fuzzing to make the world a better place, or at least make software a bit more secure. So it’s offering concrete incentives versus exposure points.

Fuzzing, or fuzz testing, is a software testing technique that tries to find bugs by injecting random or semi-random data into software. It was developed by UW-Madison computer science professor Barton Miller in 1989 [PDF]. Miller wanted to understand how noise created by a rainstorm interfered with his dial-up modem connection to a Unix system, and this opened up new areas of research into code analysis.

Google launched OSS-Fuzz in 2016 in response to the Heartbleed vulnerability, a memory buffer overflow flaw that could have been detected by fuzz testing.

“At the time, though, fuzzing was not widely used and was cumbersome for developers, requiring extensive manual effort,” explain Jonathan Metzman and Dongge Liu, from Google’s Open Source Security Team, in a blog post.

OSS-Fuzz currently checks some 700 critical open source projects for bugs and in July spotted a serious flaw in the TinyGLTF project, a library that relies on the C library function wordexp() for file path expansion on untrusted paths from an input file.

“This vulnerability shows that it was possible to inject backticks into the input glTF file format and allow commands to be executed during parsing,” explained Metzman and Liu.

source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmark Close
Social Comments Box
Connect
Share the word, let's increase Cybersecurity Awareness as we know it

This post was last modified on 24 October 2022 2:55 PM

RiSec.n0tst3

Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Leave a Comment
Published by
RiSec.n0tst3
Tags: code Fuzz google Open Source

Recent Posts

  • Data Breach News
  • InfoSec News

WH Smith Announces Cyber-Attack: Employee Data Stolen

British high street chain WH Smith has recently revealed that it was hit by a…

2 years ago
  • InfoSec News
  • World Affairs

Voice ID: How Secure is it Really?

As banks worldwide roll out Voice ID as a means of user authentication over the…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

What distinguishes Application Security from API Security?

In the era of digital transformation, cybersecurity has become a major concern for businesses. When…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

The Top 5 Cybersecurity threats facing Businesses Today

In today's digital age, cybersecurity threats have become a significant concern for businesses of all…

2 years ago
  • InfoSec News
  • World Affairs

Enterprise users infected by RIG Exploit Kit thanks to Internet Explorer

The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…

2 years ago
  • Cybersecurity Academy

The Rise and Rise of AI

One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…

2 years ago