GitLab Open Sources Protocol Fuzzer Community Edition
Fuzz testing may seem like a relatively new technique to find bugs, but really it dates all the way back to the 50s when they’d input decks of punch cards taken from the trash to find mainframe software trouble. We’ve gotten a wee bit more advanced in our techniques these days. GitLab, for example, has just open-sourced its newly acquired Protocol Fuzzer Community Edition.
That’s important because most of this protocol and application programming interface’s (API’s) Fuzzer features were only available with a commercial license. There’s a real need for the debugging capabilities to be more widely available. A 2020 GitLab DevSecOps survey found that, while 81% of developers believed fuzz testing is important, only 36% were actually using fuzzing? Why? Because it was too much trouble to set fuzzing up and integrate it with their own continuous integration (CI) systems.
This isn’t the first version of Protocol Fuzzer to be open-sourced. Under its previous management, Peach Tech, an earlier version, Peach Fuzzer Community Edition, had been open-sourced. However, this edition was more limited and its code was only available on SourceForge. Today, the Protocol Fuzzer code, under the MIT License, is available on GitLab.
While this program includes more features than the earlier version, its code is still very much based on Peach Tech’s Peach Fuzzer Professional v4 from Peach Tech, which GitLab acquired in 2020. For example, the program still contains references to Peach Tech. In addition, some features were removed and will be made available as part of GitLab in the future.
The core feature though is that it includes the engine to run and orchestrate fuzz tests as well as the pieces needed to define your own protocols. Earlier you could have only used its tools by paying for the commercial version of Peach Fuzzer or using an older, unmaintained version of Peach Fuzzer Community. The latter lacked many of the features and bug fixes available in the commercial version.
According to GitLab’s Secure: Fuzz principal product manager, Sam Kerr “By open sourcing much of what was previously available only with a paid license, we are thrilled to enable more security researchers, students, and developers to experiment with and use protocol fuzz testing to find vulnerabilities and bugs that other tools will not. This also enables everyone to contribute and help advance the state of the art even further.”
Since the Peach Tech acquisition, the company has been focused on integrating API fuzz testing and have released several iterations with it. “Now, we are focusing on how we can offer protocol fuzz testing as well,” Kerr wrote by e-mail.
You can expect to see a lot of this in the open-source version. “Part of our stewardship promise is that we want to give the community open-source pieces of all of our DevSecOps stages, which includes fuzz testing. Until now, the main alternatives were an older version of Peach Tech community edition, which was last updated over five years ago, or choosing to not do any fuzz testing.”
Kerr concluded, “Everyone can benefit from fuzz testing to find bugs and vulnerabilities that other tools miss. We have a lot more we’re excited to do on the protocol fuzz tester and we wanted to open source these parts of it as soon as we could to ensure everyone can contribute. Community involvement will help us to move more quickly to add new capabilities and also allow users to contribute new features for their own specific use cases while we build out our own roadmap.” GitLab has already given more details about its future plans on its fuzz testing direction page.
To use Protocol Fuzzer, at this point, however, you’ll probably need to already have experience with the program’s earlier versions. For now, other than instructions on how to build the program on Linux, macOS, and Windows, there’s little up-to-date documentation. Still, that will come in time, and the program, as its decade-long history shows, promises to work well for those willing to devote time to mastering it.