Google’s OSS-Fuzz extends fuzzing to Java apps

Google’s open supply fuzz-testing support, OSS-Fuzz, now supports applications prepared in Java and JVM-primarily based

Google’s open supply fuzz-testing support, OSS-Fuzz, now supports applications prepared in Java and JVM-primarily based languages. The capability was introduced on March ten.

OSS-Fuzz offers continuous fuzzing for open supply computer software. A approach for acquiring programming glitches and stability vulnerabilities in computer software, fuzzing consists of sending a stream of semi-random and invalid enter to a application. Fuzzing code prepared in memory-secure languages this sort of as JVM languages can obtain bugs that bring about packages to crash or behave improperly.

Google enabled fuzzing for Java and the JVM by integrating OSS-Fuzz with the Jazzer fuzzer from Code Intelligence. Jazzer enables buyers to fuzz code prepared in JVM-primarily based languages via the LLVM project’s libFuzzer, an in-procedure, coverage-guided fuzzing engine, related to how this has been done for C/C++ code. Languages supported by Jazzer incorporate Java, Clojure, Kotlin, and Scala. Code coverage feed-back is supplied from JVM bytecode to libFuzzer, with Jazzer supporting libFuzzer attributes such as:

  • FuzzedDataProvider, for fuzzing code that does not settle for an array of bytes.
  • Evaluation of code coverage primarily based on 8-bit edge counters.
  • Minimization of crashing inputs.
  • Benefit profiles.

Google has supplied documentation on introducing open supply assignments prepared in JVM languages to OSS-Fuzz. Ideas phone for Jazzer to assistance all lIbFuzzer attributes ultimately. Jazzer also can give coverage feed-back from indigenous code executed by way of the Java Indigenous Interface. This can uncover memory corruption vulnerabilities in memory-unsafe indigenous code. OSS-Fuzz also lists languages this sort of as Go, Python, C/C++, and Rust as supported languages.

Copyright © 2021 IDG Communications, Inc.