Google made its scalable fuzzing tool, called ClusterFuzz available as open source, yesterday. ClusterFuzz is used by Google for fuzzing the Chrome Browser, a technique that helps detect bugs in software by feeding unexpected inputs to a target program. For fuzzing to be effective, it should be continuous, done at scale, and integrated into the development process of a software project.
ClusterFuzz can run on clusters with over 25,000 machines and can effectively highlight security and stability issues in software. It serves as the fuzzing backend for OSS-Fuzz, a service that Google released back in 2016. ClusterFuzz was earlier offered as free service to open source projects through OSS-Fuzz but is now available for anyone to use.
ClusterFuzz comes with a variety of features that help integrate fuzzing into a software project’s development process. Here are some of the key features in ClusterFuzz:
- Helps with accurate deduplication of crashes.
- Comes with a fully automatic bug filing and closing for issue trackers.
- Includes statistics for analyzing fuzzer performance, and crash rates.
- Comprises easy-to-use web interface for management and viewing crashes.
ClusterFuzz has so far tracked more than 16,000 bugs in Chrome and over 11,000 bugs in more than 160 open source projects integrated with OSS-Fuzz. ClusterFuzz can detect bugs hours after they have been introduced and is capable of verifying the fix within a day.
“We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed. Through open sourcing ClusterFuzz, we hope to encourage all software developers to integrate fuzzing into their workflows.”, states the ClusterFuzz team members.
For more information, check out the ClusterFuzz’s official GitHub repository.