ClusterFuzz: Fuzzing at Google Scale

Presented at Black Hat Europe 2019, Dec. 4, 2019, 4:50 p.m. (50 minutes).

Fuzzing is an effective way of finding security vulnerabilities, but it does not scale well for a defender trying to protect a complex software with several third-party dependencies. There are numerous daunting challenges that come into play which include writing the fuzz targets manually, determining tools and technologies to integrate with, managing continuous fuzzing of these targets at scale, precise crash deduplication, and finally getting the vulnerabilities fixed.

This talk is about how we overcame these challenges to operate the largest publicly known fuzzing infrastructure, running over 25,000 cores, 2,500 targets and find over 8,000 security vulnerabilities in several Google products and 200 open source projects (as part of the free OSS-Fuzz service).

We will dive deeper into how our infrastructure ClusterFuzz completely automates the entire fuzzing lifecycle and how we scale the process of writing fuzz targets into developer workflows. Our experience highlights that these methodologies scale well for both large projects (like Chrome) and small projects (like openssl, libxml, and many other OSS-Fuzz projects).


Presenters:

  • Abhishek Arya - Senior Staff Software Engineer, Google
    Abhishek Arya is one of the early members of the Google Chrome Security Team and the founder of ClusterFuzz, a highly scaled and automated fuzzing infrastructure that fuzzes Chrome and several other Google products. In December 2016, his team launched OSS-Fuzz, a free fuzzing service for the open source community which has since grown to more than 200 projects. These efforts combined have resulted in more than 8,000 security vulnerabilities till date.
  • Oliver Chang - Senior Software Engineer, Google
    Oliver Chang is a security engineer in the Google Chrome Security Team and the lead developer of ClusterFuzz, a highly scaled and automated fuzzing infrastructure that fuzzes Chrome and several other Google products. In December 2016, he led the launch of OSS-Fuzz, a free fuzzing service for the open source community which has since grown to more than 200 projects. These efforts combined have resulted in more than 8,000 security vulnerabilities till date.

Links:

Similar Presentations: