Google launches ClusterFuzzLite

Sheila Zabeu -

November 25, 2021

Have you noticed that we’re taking security coding more seriously these days? And we have a reason for that. Software supply chain attacks like Kaseya’s VSA, SolarWinds, and PHP are becoming commonplace. When even the National Institute of Standards and Technology (NIST) and the White House issued an Executive Order on improving the nation’s cybersecurity by requiring more code testing, you know that cybersecurity is finally being taken seriously.

To help make it easier, Google has launched a new project called ClusterFuzzLite to help identify vulnerabilities in software more quickly. According to the company, with just a few lines of code, it is possible to integrate ClusterFuzzLite into developers’ workflows and detect bugs, thus increasing the security of the software production chain. “The new tool can be run “as part of CI / CD workflows to find vulnerabilities faster than ever before,” wrote software engineers Jonathan Metzman and Oliver Chang, along with Google’s CI / CD product lead Michael Winser, in a post on Google’s Security blog.

ClusterFuzzLite is a lighter version of the ClusterFuzz project, announced in 2016. Both are based on the fuzz testing technique, also known as fuzzing, and developed at the University of Wisconsin Madison in 1989, which seeks to find implementation bugs in an automated way using malformed or random data.

Fuzz tests are suitable for the software that receives untrusted data inputs (security), for checking the equivalence of two complex algorithms (correctness), and for checking high-volume APIs that receive complex data (stability). It is not a replacement for other types of tests and should be applied continuously.  

ClusterFuzz is an open-source fuzz infrastructure capable of running tests continuously. High-impact open source projects can be integrated into the OSS-Fuzz service to be submitted for free fuzz testing. In addition to the ClusterFuzz environment, OSS-Fuzz combines various fuzz mechanisms with sanitizers. Since its announcement in 2016 until June 2021, more than 500 critical open source projects have been integrated into OSS-Fuzz, resulting in more than 6,500 vulnerabilities and 21,000 functional bugs fixed.

ClusterFuzzLite, meanwhile, the younger sibling of the recently announced ClusterFuzz, is also showing positive results with large projects, according to Google. “When human reviewers approve code and code analyzers can no longer detect problems, fuzzing is what takes code to a new level of maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain cURL as a quality project, 24 hours a day, every day and in front of every engagement,” highlights Daniel Stenberg, cURL project author, who works with a command-line tool and library to transfer data with URL syntax.

Google explains that ClusterFuzzLite offers many of the features of ClusterFuzz, such as continuous fuzzing, compatibility with sanitizers, coverage reporting. However, the most important thing about ClusterFuzzLite, in Google’s view, is that it is easy to configure and works with closed-source projects, making it an interesting option for any developer looking to test software. 

Supply chain attacks

Google’s ultimate goal in offering these tools is to contribute to the reduction of supply chain attacks that have been terrorizing various industries recently. This category of intrusion attacks a vulnerable link in the chain, for example, a company that provides software or services to many others, and thus paves the way for thousands of new targets.

Among the many incidents of this type in the last year, one of the largest and most devastating was the one involving IT company SolarWinds, which had compromised its system updates sent to thousands of customers, including large private sector companies and US government agencies. Another major attack exploited a vulnerability in Kaseya software, affecting customers around the world. 

In particular, development environments can be excellent targets for cybercriminals using supply chain attacks as a method. In light of these major cybersecurity incidents, the UK’s National Cyber Security Center (NCSC), for example, issued a warning, highlighting that attacks on the software development pipeline can generate far-reaching impacts.

That’s why, Google says, tools like ClusterFuzzLite should be used as another essential step that developers should continually apply to all software projects. That way, by finding and preventing bugs more efficiently, a more secure software ecosystem can be built.