Fuzzing is an effective way of finding security vulnerabilities, but it does not scale well for a defender trying to protect a complex software with several third-party dependencies. There are numerous daunting challenges that come into play which include writing the fuzz targets manually, determining tools and technologies to integrate with, managing continuous fuzzing of these targets at scale, precise crash deduplication, and finally getting the vulnerabilities fixed.
This talk is about how we overcame these challenges to operate the largest publicly known fuzzing infrastructure, running over 25,000 cores, 2,500 targets and find over 8,000 security vulnerabilities in several Google products and 200 open source projects (as part of the free OSS-Fuzz service).
We will dive deeper into how our infrastructure ClusterFuzz completely automates the entire fuzzing lifecycle and how we scale the process of writing fuzz targets into developer workflows. Our experience highlights that these methodologies scale well for both large projects (like Chrome) and small projects (like openssl, libxml, and many other OSS-Fuzz projects).