Google Introduces ClusterFuzzLite Security Tool for CI/CD
Have you noticed we’re taking coding security more seriously these days? I have. We have a reason. Software supply chains attacks, such as the ones on Kaseya’s VSA, SolarWinds, and PHP are becoming commonplace. When even the National Institute of Standards and Technology (NIST) and the White House issues an Executive Order on Improving the Nation’s Cybersecurity demanding more code testing, you know cybersecurity is finally being taken seriously. One new way of making this happen is with continuous fuzzing. To help make that easier, Google has released ClusterFuzzLite.
Fuzzing, for those of you who don’t know it — and after meeting a college senior computer science programming student the other week who’d been taught no security measures, that may be too many of you — is a simple debugging technique. You literally feed your program garbage input to see what happens. It dates all the way back to the 50s when they’d input decks of punch cards taken from the trash to see what would go wrong.
Sounds simple, doesn’t it? It is. But it works.
ClusterFuzzLite enables you to run continuous fuzzing on your Continuous integration and delivery (CI/CD) pipeline. The result? You’ll find vulnerabilities more easily and faster than ever before.
This is vital. A 2020 GitLab DevSecOps survey found that, while 81% of developers believed fuzz testing is important, only 36% were actually using fuzzing. Why? Because it was too much trouble to set fuzzing up and integrate it with their CI/CD systems. At the same time, though, as Shuah Khan, kernel maintainer and the Linux Foundation’s third Linux Fellow, has pointed out “It is easier to detect and fix problems during the development process,” than it is to wait for manual testing or quality assurance later in the game.
By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip past the most careful eyeballs. NIST’s guidelines for software verification specify fuzzing as a minimum standard requirement for code verification. After all as Dan Lorenc, founder and CEO of Chainguard and former Google open source security team software engineer, recently told The New Stack, “Components like build systems, source code management tools, and artifact repositories all need to be treated as critical production environments because they are.”
ClusterFuzzLite works hand-in-glove with Google’s OSS-Fuzz program. Since 2016, OSS-Fuzz has found 6,500 vulnerabilities and 21,000 functional bugs in 500 critical open source projects. These have all since been fixed. Now that power can be used on your projects.
Although ClusterFuzzLite is much newer, it’s already being successfully used in important projects such as systemd and curl. According to Daniel Stenberg, curl’s author, “When human reviewers nod and have approved the code and your static code analyzers and linters can’t detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”
ClusterFuzzLite comes with many of the same features as its big brother, ClusterFuzz. This includes continuous fuzzing, sanitizer support, corpus management and coverage report generation. You can also use ClusterFuzzLite with proprietary source projects.
In this initial launch version, the program supports the following fuzzing engines and sanitizers: libFuzzer for coverage-guided testing; AddressSanitizer for finding memory safety issues; MemorySanitizer for finding uninitialized memory problems; and UndefinedBehaviorSanitizer for finding undefined behavior (e.g. integer overflows). Again simple problems, but they appear in our code over and over again.
The program supports C, C++, Java (and other JVM-based languages), Go, Python, Rust and Swift. You can use it today with GitHub Actions, Google Cloud Build, and Prow. Google promises more CI systems will be supported shortly. Google claims adding support for other CI systems is straightforward.
Want to know more? Check out the ClusterFuzzLite documentation. Me? If I were putting together a CI/CD pipeline for my team, I’d already be tinkering with ClusterFuzzLite on my test pipeline.