Google LLC today announced the release of ClusterFuzzLite with an aim to make it easy to integrate fuzzing – a technique for finding bugs in software using random or invalid data – into software development workflows.

Fuzzing, also called fuzz testing, has become a fundamental part of discovering software bugs and vulnerabilities. It can catch bugs that can slip by manual tests by throwing random and unexpected data at code in order to produce out-of-bounds results and crashes, which are likely to reveal flaws in the software.

This sort of testing is especially important for any software that will be exposed to external user input. That’s because this is where hackers will attempt to exploit the system or a user could accidentally run across a case that crashes the application.

ClusterFuzzLite works alongside OSS-Fuzz, a program developed by Google to provide continuous fuzzing for select core open-source software projects. Since the release of OSS-Fuzz in 2016, it has led to the detection and repair of more than 6,500 vulnerabilities and 21,000 functional bugs across more than 500 critical open-source projects.

Google said large projects such as systemd, the user process management service on the Linux operating system, and curl, a command-line tool and library for transferring data, are already using ClusterFuzzLite during code review.

Image: Google

“When the human reviewers nod and have approved the code and your static code analyzers and linters can’t detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness,” said Daniel Stenberg, author of curl. “OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”

ClusterFuzzLite makes it simpler to integrate fuzzing into any project workflow and makes fuzz testing an essential standard during commits. GitHub users can easily add it into their workflow and fuzz pull requests to catch bugs before code is committed with only a few lines of code. Equally important, it’s easy to set up for closed-source projects as well.

By adding fuzzing during the integration process, bugs in the code can be caught before new code is added to the main codebase. The solution currently supports GitHub Actions, Google Cloud Build and Prow. It was built with continuous integration system extensibility in mind, and the team made it so that adding support for other CI systems is straightforward.

Further information is available on the ClusterFuzzLite documentation page.

Image: Unsplash