UPDATED 12:00 EST / NOVEMBER 11 2021

APPS

Google announces ClusterFuzzLite open-source solution for detecting bugs using ‘fuzzing’

Google LLC today announced the release of ClusterFuzzLite with an aim to make it easy to integrate fuzzing – a technique for finding bugs in software using random or invalid data – into software development workflows.

Fuzzing, also called fuzz testing, has become a fundamental part of discovering software bugs and vulnerabilities. It can catch bugs that can slip by manual tests by throwing random and unexpected data at code in order to produce out-of-bounds results and crashes, which are likely to reveal flaws in the software.

This sort of testing is especially important for any software that will be exposed to external user input. That’s because this is where hackers will attempt to exploit the system or a user could accidentally run across a case that crashes the application.

ClusterFuzzLite works alongside OSS-Fuzz, a program developed by Google to provide continuous fuzzing for select core open-source software projects. Since the release of OSS-Fuzz in 2016, it has led to the detection and repair of more than 6,500 vulnerabilities and 21,000 functional bugs across more than 500 critical open-source projects.

Google said large projects such as systemd, the user process management service on the Linux operating system, and curl, a command-line tool and library for transferring data, are already using ClusterFuzzLite during code review.

Image: Google

“When the human reviewers nod and have approved the code and your static code analyzers and linters can’t detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness,” said Daniel Stenberg, author of curl. “OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”

ClusterFuzzLite makes it simpler to integrate fuzzing into any project workflow and makes fuzz testing an essential standard during commits. GitHub users can easily add it into their workflow and fuzz pull requests to catch bugs before code is committed with only a few lines of code. Equally important, it’s easy to set up for closed-source projects as well.

By adding fuzzing during the integration process, bugs in the code can be caught before new code is added to the main codebase. The solution currently supports GitHub Actions, Google Cloud Build and Prow. It was built with continuous integration system extensibility in mind, and the team made it so that adding support for other CI systems is straightforward.

Further information is available on the ClusterFuzzLite documentation page.

Image: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.