back to article Google urges open source community to fuzz test code

Google's open source security team says OSS-Fuzz, its community fuzzing service, has helped fix more than 8,000 security vulnerabilities and 26,000 other bugs in open source projects since its 2016 debut. And the group would like to see open source developers do more fuzzing to make the world a better place, or at least make …

  1. Anonymous Coward
    Windows

    Everything old is new again

    When I was an EDP Auditor (and the acronym should tell you this was many decades ago) I always included randomly punched cards in my data decks and others I knew did the same. It was certainly not as scientific as Barton Miller but at the time it sufficed.

    The practice died out long ago but it's good to see it resurrected in these days when far too many programmers can't be bothered to check their inputs.

  2. amanfromMars 1 Silver badge

    In the Hunt for Searching Alien Escapades Don’t Be an All-Time Old-Time Loser

    Finding/Recognising/Understanding a bug/serious flaw, such as that one which exploits a vulnerability in the TinyGLTF project is one thing, fixing and/or removing and/or destroying it though is quite another, as any vulnerability which is akin to insider trading would clearly demonstrate ..... for there would always be those imagining and utilising such as an attractive and rewarding feature able whenever properly stealthily enabled to award considerably more than just five figure sums to random rogue or corporate bounty hunters.

    And as projects and code to XSS continue to grow ever more needy and complex, will serious critical systemic vulnerabilities become ever more difficult and unlikely to be uncovered and thus will a whole new entrepreneurial market space be established in command and control of practically unknown but universally present, sensitive and secret Virtualised AIdVentures exploiting newly minted possibilities/raw core source opportunities.

    Don't deny it or knock it for it is only natural supernatural and revolutionary evolutionary progress. Embrace and Enjoy and Employ IT whenever and wherever you can is the secret to learn for unrivalled almighty success by any measure.

  3. aldolo

    glorification of the monkey test

    "bang on the keyboard until the software crash"

    1. G.Y.

      1YO Re: glorification of the monkey test

      I know of a 1-year-old who crashed a "secure" OS that way. But he couldn't explain how he did it

      1. Roland6 Silver badge

        Re: 1YO glorification of the monkey test

        And the keyboard survived the attention of a 1-year-old, awesome!

  4. iron Silver badge

    Fuzzing is not the answer to every question and for some projects and languages does not make any sense.

    1. Michael Wojcik Silver badge

      Who claimed it was "the answer to every question"?

      And fuzzing is language-independent, so that part of your claim makes no sense.

  5. Anonymous Coward
    Anonymous Coward

    To be cynical...

    ....why bother when user input isn't even escaped before the SQL query?

  6. Charlie Clark Silver badge

    Time and effort required

    This is a great initiative and ane of my projects has been added and I've received a few reports. However, setting things up locally in order to be able to reproduce the problems is going to take time so it will have to wait until I'm free to spend a couple of days.

  7. Michael Wojcik Silver badge

    In 2016?

    "[In 2016], fuzzing was not widely used and was cumbersome for developers"

    Oh, please. Not widely used, true; but "cumbersome"? Zalewski had released AFL three years prior to that. There was little excuse for not fuzzing any software compiled with GCC that took command-line or file inputs. Free and simple tools for tasks like network-protocol fuzzing took longer to arrive, but for a great many use cases fuzzing was readily available in 2016. Developers simply didn't want to do it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like