It’s just been a couple of months since Microsoft announced its Project Springfield code fuzzing service and now Google has launched the beta version of its own OSS-Fuzz. The purpose of both of these is to help developers to locate the bugs in their code which might eventually lead to breaches. Even though the purpose of both of these organisations works for the same cause, one is a paid service while the other is free; one is proprietary while the other is open source.
Google has described the OSS-Fuzz as ‘continuous fuzzing for open source software’. According to the development team in Google’s Testing Blog, “OSS-Fuzz’s goal, is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution. OSS-Fuzz combines various fuzzing engines (initially, libFuzzer) with Sanitizers (initially, AddressSanitizer) and provides a massively distributed execution environment powered by ClusterFuzz.”
It fills a gap left by Project Springfield. Since the fuzzing field offered by the Microsoft is a commercial product, it can only be used by the customers willing to pay and afford it. This does not exclude open source developers as they love open source software, but it is noticeable that it is specifically marketed to business customers: suitable for testing in-house software, software acquired through M&A, and even third-party software being considered for purchase.
Google notes that “Open source software is the backbone of the many apps, sites, services, and networked things that make up ‘the internet’… An example is the FreeType library, which is used on over a billion devices to display text (and which might even be rendering the characters you are reading now).” It is important that such software is bug-free and secure. “Recently the FreeType fuzzier found a new heap buffer overflow only a few hours after the source change.”
The ‘continuous’ nature of the service solves another problem: open source software may have multiple maintainers applying software changes almost on an ongoing basis. “OSS-Fuzz automatically notified the maintainer, who fixed the bug” announced Google; “then OSS-Fuzz automatically confirmed the fix. All in one day!”
There is no suggestion that either Google’s or Microsoft’s service is better than the other — they are different methods serving different purposes. “The OSS-Fuzz effort,” said HD Moore, the Metasploit founder now with Special Circumstances LLC, “can be compared to the Coverity program for open source projects; a way to apply commercial-level resources to improving the security of critical open source programs and libraries.
“Project Springfield seems a bit different,” he continued, “in that it focuses on providing a for-pay service for all developers, not just open source projects. Google as a company has already made significant contributions to this space through their employee work on open source tools (AFL, etc) and this effort seems very much in that vein.”