Google’s OSS-Fuzz extends fuzzing to Java apps
Google’s open up source fuzz-testing provider, OSS-Fuzz, now supports apps prepared in Java and JVM-based languages. The functionality was introduced on March 10.
OSS-Fuzz supplies continual fuzzing for open up source software program. A procedure for finding programming errors and safety vulnerabilities in software program, fuzzing requires sending a stream of semi-random and invalid enter to a application. Fuzzing code prepared in memory-safe languages these kinds of as JVM languages can discover bugs that trigger courses to crash or behave incorrectly.
Google enabled fuzzing for Java and the JVM by integrating OSS-Fuzz with the Jazzer fuzzer from Code Intelligence. Jazzer enables buyers to fuzz code prepared in JVM-based languages by way of the LLVM project’s libFuzzer, an in-procedure, protection-guided fuzzing engine, similar to how this has been done for C/C++ code. Languages supported by Jazzer incorporate Java, Clojure, Kotlin, and Scala. Code protection opinions is provided from JVM bytecode to libFuzzer, with Jazzer supporting libFuzzer features which includes:
- FuzzedDataProvider, for fuzzing code that does not settle for an array of bytes.
- Analysis of code protection based on 8-little bit edge counters.
- Minimization of crashing inputs.
- Worth profiles.
Google has provided documentation on incorporating open up source jobs prepared in JVM languages to OSS-Fuzz. Options contact for Jazzer to aid all lIbFuzzer features finally. Jazzer also can supply protection opinions from indigenous code executed by way of the Java Indigenous Interface. This can uncover memory corruption vulnerabilities in memory-unsafe indigenous code. OSS-Fuzz also lists languages these kinds of as Go, Python, C/C++, and Rust as supported languages.
Copyright © 2021 IDG Communications, Inc.
