Cloudy with a chance of early bugs

Google has open sourced its ClusterFuzz cloud-based bug finding technology, creating a new tool for white hats and software developers to play around with in the process.

ClusterFuzz, a fuzzing infrastructure running on over 25,000 cores, was developed as a cloud-based tool for uncovering memory corruption bugs and the like in its Chrome browser. The technology debuted in 2011.

Two years ago, Google began offering ClusterFuzz as a free service to open source projects through OSS-Fuzz.

ClusterFuzz has become an integral part in the development process from Chrome and many other open source projects, racking up an impressive quota of bug finds in the process.

“ClusterFuzz has found more than 16,000 bugs in Chrome and more than 11,000 bugs in over 160 open source projects,” Google explains in a blog post.

The release of ClusterFuzz as an open source technology means software developers will be able to integrate fuzzing into their application development workflow.

Fuzzing works by automatically feeding a range of weird and wonderful inputs into a system and logging the results, paying particular attention to inputs that cause a system to crash.

Crashes may occur in such a way as to leave hacker-controlled code in sections of memory, where it might subsequently be executed – a serious security bug.

Even without going all the way to remote code execution, bugs can trigger a denial-of-service condition.

ClusterFuzz makes it easier to find such bugs and send them off to be patched before they are ever abused to malevolent ends.

The technology is optimized to run on Google’s Cloud and may need tuning to run on other systems for production deployments, at least.

Early reaction from software developers has been positive.

A few tech giants have released their resilience testing tools to the open source community before.

Netflix’s Chaos Monkey is one of a limited number of examples in this general area, even though it isn’t itself a fuzzing tool.