CI/CD / Security

Fuzzit: Building Fuzzing into Continuous Integration Workflows

4 Feb 2020 7:26am, by

Far from new, fuzzing is experiencing a resurgence amid the complexity of delivering software faster — especially in the cloud.

One of the newest entrants to the market is Tel Aviv-based Fuzzit, yet another security startup from founders who gained experience with the Israeli Defense Forces.

Fuzzing involves feeding pseudo-random inputs into a program to see how it behaves and rooting out bugs. It’s a process that hackers use as well to find vulnerabilities and exploit them.

“We focus on helping companies introduce fuzzing into their current CI workflows. We have integrations with any CI: GitHub, GitLab, in-house CI, Jenkins,” said founder and CEO Yevgeny Pats.

His experience with a consulting company revealed that for many clients, doing their own fuzzing proves too onerous.

“The reason you need a third party is because of the workload of fuzzing. …Fuzzing is usually a long-running job. You can’t run them easily in your CI without blocking your entire CI team. So you need to run fuzzing another place,” he said.

Focused on Open Source

Pats founded the five-person company in early 2019. He also founded the anti-phishing automation platform Phish.AI.

It began as a consulting company, doing pen testing on web and mobile applications. After writing fuzz tests for clients and finding some bugs, they either didn’t run the tests again at all or only ran them again after a year.

“Eventually they asked us to manage it so they could run the tests every time they push new code,” he said.

Open source projects including Systemd, CoreDNS, Prometheus, the Envoy proxy are among its users.

Open source projects face particular challenges, he said.

“There’s a lot of different people involved. [They might] use fuzzing with a pull request, but when they do the merge, they didn’t have this version and now they can’t find the developer. We help them find the crashes in the pull request when the developer can’t be found and fix all those crashes,” he said.

At Scale

The SaaS product enables users to run their current LibFuzzer, AFL (American Fuzzy Lop) target at scale with deep analysis. It operates on  C, C+, Java, Golang, Rust and Swift.

It can work with any continuous integration (CI) tool. You can run quick regression tests on every pull request and long jobs that generate new test cases in the background.

You start by uploading a tar.gz file containing the compiled target for LibFuzzer, the coverage-guided, evolutionary fuzzing engine. With the Fuzzit CLI, you authenticate and push the binary to Fuzzit. Once it pushes the code to master, Fuzzit will run the code asynchronously without blocking the CI.  If there are bugs found, it will alert you through your configured channel.

The platform updates logs every minute and merges the corpus every hour between all workers automatically. It focuses on making sure bugs are fixed and will alert you again if they are introduced again in a pull request.

“If you write five or 10 fuzz tests, we only run one version at a time. If you push a new version, we stop the old version and start the new version.  It creates a corpus between the runs. Every time you push code, the fuzzer does not start at the beginning but starts where the old version stopped,” Pats said.

To test multiple releases, you can use specific version-branch/tags to fuzz specific versions.

On-Prem, too

Fuzz testing has some interesting history, dating back to the 1950s.

More recent projects include Google’s ClusterFuzz expanded into OSS-Fuzz, jointly sponsored by the Linux Foundation’s Core Infrastructure Initiative to improve security in key open source applications; and Microsoft’s Microsoft Security Risk Detection (formerly Project Springfield.)

And then there are companies like ForAllSecure, FuzzBuzz and Synopsys.

With ClusterFuzz, Pats said, “You have to manage it, set it up, own the server. The minimum cost is $600/month for compute power even if you aren’t running any tests.

“You have to have GCP. With AWS or on-prem, you can’t really use it. Our solution also works on-prem. We have a managed version.”

At the low end, its price is $25 per month for two containers, with a free tier for open source.

Going forward, while the company focused on open source projects last year, next year it will focus on more enterprise features, such as making on-prem installation easier, integrations to internal ticket systems,  and automation for big organizations.

An event called FuzzCon is scheduled to take place Feb. 25 in San Francisco, with speakers from Google, Microsoft, Synopsys, ForAllSecure and more. Find a GitHub resource for fuzzing here.

The Linux Foundation is a sponsor of The New Stack.

Feature Image: “Fuzz” by Dylan Luder. Licensed under CC BY-SA 2.0.

A newsletter digest of the week’s most important stories & analyses.