Google Found Over 1,000 Bugs In 47 Open Source Projects

Orome1 writes: In the last five months, Google's OSS-Fuzz program has unearthed over 1,000 bugs in 47 open source software projects... So far, OSS-Fuzz has found a total of 264 potential security vulnerabilities: 7 in Wireshark, 33 in LibreOffice, 8 in SQLite 3, 17 in FFmpeg -- and the list goes on...
Google launched the program in December and wants more open source projects to participate, so they're offering cash rewards for including "fuzz" targets for testing in their software. "Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration" -- or twice that amount, if the proceeds are donated to a charity.

Profit!

[xxxJonBoyxxx]

>> or twice that amount ($40K), if the proceeds are donated to a charity.

1) Create some horribly insecure OSS software
2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90%
3) Integrate Google fuzz, report self and payout to, er, "charity"
4) PROFIT!

Re:Profit!

[Dutch+Gun]

From TFA (in case anyone was wondering about the criteria):

"To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure."

Re:Profit!

[freeze128]

You forgot a step...

1.5) Get the OSS community to rely on your software on a daily basis.

Re:Profit!

[swillden]

>> or twice that amount ($40K), if the proceeds are donated to a charity. 1) Create some horribly insecure OSS software 2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90% 3) Integrate Google fuzz, report self and payout to, er, "charity" 4) PROFIT!

You forgot step 1.5: "Get horribly insecure OSS software to be used by a large number of people and/or be critical to global I/T infrastructure".

Re:Profit!

[AchilleTalon]

Are you talking about systemd?

Re: Profit!

That's the easy part xD

Re: Profit!

How about, just send in 2 projects.

Great news!

[therealspacebug]

This is what open source is about. Together making software better and more secure!

Re:Great news!

[Dutch+Gun]

If you haven't done this for your projects, fuzz testing is an awesome stability and security test for any sort of input parser.

I maintain a small open source project (that no one but me uses, but hey, it's there if people want), and I found several bugs in the parser with my fuzz tests. I just wrote a *very* simple test myself using basic mutation techniques (randomly altering samples of valid input data), and it was still pretty effective.

I'm looking forward to hearing about further positive results from this project.

Re:Great news!

YOU ARE MISREADING. 1000+ bugs WERE FOUND, that's BECAUSE the projects are OPEN SOURCE and PEOPLE CARED TO LOOK. FTFY.

Re: Great news!

You don't need the source if you are using a fuzzer

Thank you Google

Thank you, this shows again the advantage of open source free software. Now all communities can start fixing the bugs. There is no security by obscurity, or it's just a false misperception, possible like with proprietary software.

Re: Thank you Google

[xxxJonBoyxxx]

This popped out of the Chrome project, if I'm reading this right. From:
https://github.com/google/oss-fuzz/

>> Currently OSS-Fuzz supports C and C++ code (other languages supported by LLVM may work too).
>> We (did) fuzzing of Chrome components...now want to share the...service with the open source community.

Re: Thank you Google

[haruchai]

Isn't it interesting how it takes a multi-billion dollar closed-source development company to clean up the security messes left by open source software?

Isn't it interesting how it takes an unpaid outfit to expose the hacks of a multi-billion dollar closed state-sponsored terrorist agency taking advantage of the security messes of multi-billlion dollar closed source development companies?

Re: Thank you Google

[nyet]

Ever heard of valgrind?
scan-build?
libasan?

Re: Thank you Google

There are plenty of commercial companies with buggy software or software which has declined in quality since it was first created. The advantage of open source is that people who use the software can all look at the code and submit modifications or fork if there's something they really need enough to put the investment in. Commercial software, unless it is open source, does not have that advantage. This can make a huge difference in the case of security concerns as well.

In fact, there is no more engaged community than that which also helps edit and check the code. If you have a community doing that, you know they are fully invested. At that point, the only way they are going to fork is if the interests truly diverge.

Re: Thank you Google

[chipschap]

Isn't it interesting how it takes a multi-billion dollar closed-source development company to clean up the security messes left by open source software?

As opposed to closed-source security messes that NEVER get cleaned up?

Re: Thank you Google

[phantomfive]

If only they'd fix their own bugs.

Could be worse: they could be Apple.

Re: Thank you Google

That would be yes on valgrind and no on the 2 others.
I love valgrind and because of that I am now going to look up what the other 2 are.
Do you know other tools that I might enjoy using ?

(PS: I'm another anonymous coward then the one you replied to and have no opinion one way or the other about what he said)

surprised

I'm surprised they found so few in libreoffice compared to sqlite. Sqlite has the most extensive unit tests I've ever seen in my life. and LibreOffice is just so huge relative to it. I guess that goes to saying they're doing a pretty good job.

Re:surprised

[DRichardHipp]

The SQLite developers were also surprised by how many bugs OSS-Fuzz (and American Fuzzy Lop) have found in SQLite.

The best explanation I have is that OSS-Fuzz and AFL are exploring extreme corner-cases of the code where human-generated tests would never think to go. Fuzzing is great for finding bugs that involve totally unreasonable inputs that never happen in actual practice and which can only appear as part of a deliberate attack. Fuzzing has not found any bugs that would impact the day-to-day use of SQLite.

In other words, fuzzing finds an entirely different class of bugs from what the mountains of other test cases for SQLite are designed to find. This is a good thing. We encourage testing diversity.

Here is a list of issues found in SQLite by OSS-Fuzz (and now fixed): https://www.sqlite.org/src/sea...

There are a few cases of NULL pointer dereferences or other crashes that come about while unwinding the stack following an Out-Of-Memory error. Those kinds of errors are real, and we are grateful to OSS-Fuzz for finding them, even if they are seldom seen in the wild. Other issues were assertion faults that probably would not have resulting in a crash if assert() has been disabled (which is the case for all default builds of SQLite). And then there are things like https://www.sqlite.org/src/tim... which is not really a bug at all - OSS-Fuzz was submitting a funky recursive VIEW query that after unwinding all the nested views resulted in a very larger prepared statement, which took too long to process and so OSS-Fuzz timed out. SQLite was getting the correct answer, it was just taking too long. Since the submitted SQL was of no practical use, we "fixed" that problem by limiting the size of prepared statements to be about 100 times larger than any real SQL statement needs to be, rather than the default limit of about a 10 million times larger.

Re:surprised

I also think it is a testament to how thorough some fuzz targets are compared to others. SQLite obviously took the charge seriously. Theirs is DEEP and can do all sorts of edge cases and tests huge chunks of the code; most others are much more limited in what they can uncover because they focus on certain functions or are limited in the input the provided. If anything, SQLite's high numbers show how seriously they take testing and how good performance is to keep timeouts limited. Similarly, the lack of high numbers in huge projects, like LibreOffice, show the opposite.

Re:surprised

I'm surprised they found so few in libreoffice compared to sqlite.

Part of that might be the comparative number of test entry points in the libreoffice vs. sqlite tests.

OSS-Fuzz doesn't automatically determine the entry functions over which it fuzzes. Instead, a person has to manually curate and enable fuzzing for each function you want fuzz tested. The more functions you hook up to the fuzzer, the more chances you have to find bugs.

The other thing to keep in mind is that the OSS-Fuzz fuzzer only really works well with fast, self-contained functions where you have a relatively limited amount of input data. It doesn't work well if you have functions which work on state, or on functions which are stateless but have massive amounts of context data. When OSS-Fuzz works, it's feeding your function-fuzzing framework arbitrary bytestreams. If you can't take an *arbitrary* bytestream and parse it into a reasonable set of inputs for the function, the fuzzer doesn't work to well.

I don't know what the comparison of number of functions and code coverage for libreoffice vs. sqlite, but I'm betting that sqlite having excellent unit test coverage is the reason why more bugs are found on it. Setting things up for good unit test coverage means there are many more function entry points set up to run easily in the fuzzer. The culture of testing also probably means the person setting up the fuzzer test was willing to do more to expose more functions to the fuzzer.

In contrast, much of the libreoffice code base is involved in user interaction and is highly context dependent. This doesn't make it a good target for the OSS-Fuzz framework. I'm guessing the libreoffice functions that are being fuzzed are low-level calculation functions or file-format parsers. The UI elements or the functions which work on the document as a whole? Probably not so much. I'm also guessing the different culture around testing probably also means that less effort was expended in exposing various functions to the fuzzer.

tl:dr; - No direct knowledge of the details, but the libreoffice fuzzing is probably testing less code than the sqlite one, and hence finds correspondingly fewer bugs.

What does this do

[nyet]

What does this do that libasan and clang's scan-build don't?

Re:What does this do

[swillden]

What does this do that libasan and clang's scan-build don't?

Fuzzing is the process of running code that accepts some user input and feeding it all sorts of bizarre garbage in an attempt to find cases the developers failed to handle. It's common to use a fuzzer in combination with something like libasan, because libasan will point make buggy codepaths fail more obviously when the fuzzer triggers them. Clang's scan-build is a static code analyzer, a completely different type of scanner.

Re:What does this do

ASAN stands for Address SANitization

Sikulix

Sikulix would be a great candidate. It's open source testing automation, has a few bugs / glitches in it, but still works.

Re:What value is google providing?

It was mentioned what 3rd party tools were being used. What do you expect a front page NYT article? I'm sure on the description pages google gives proper attribution. This article is about the google service availability.

Prevent "bugs" in Google's MAIN platform ads

See subject: By blocking their ad "gold" altogether via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have in the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

Re: Prevent "bugs" in Google's MAIN platform ads

APK, Can you please create your own Reddit group or setup something on 4Chan so you can post your brilliant thoughts and share your knowledge while leaving Slashdot alone so we can begin to enjoy it again? And the good news is that you can continually spam your little custom line editor for host files. I'm sure it wasn't too hard to find someone's open-source notepad code written in visual basic as starting point for you. Seriously it is just tiring having to see your same crap posted again and again. Before I retired I finished my IT career working in the medical industry supporting a companies full medical office software package that did patient scheduling, prescription processing, EHR, etc on top of handling network security, hardware, etc. At no time did I ever see any office using a little notepad editor for host files as part of their security measures. None of my friends at Verizon, various financial institutions, and even a couple of people providing full IT support for city wide police and fire dept. would ever consider such a silly way to manage network security via host file.

I'm sure you'll respond back with what you will consider a brilliant and/or amusing response to me in an attempt to show your superior knowledge and how amazing your little line editor is. It won't change the simple fact that anyone who handles major network security would ever consider using your application. So please go to Reddit or start a blog page. Its bad enough with the other people post that stupid gnaa whatever it is post all the time, or the brain trusts that feel need to tell us that they switched from Microsoft Windows to Linux distro number 968 every time there is a Microsoft article. Or how about Windows 10 is full of spyware, windows 10 sucks, Microsoft is evil and sucks. Systemd sucks, my Linux distro number 5149 version 0.012 has just been released and is already easier to install Windows 10 which sucks by the way and is full of spyware. You can setup a group in Reddit and manage it so all these useless air breathers can post there.

  I miss the old Slashdot where actual intelligent conversations use to occur and you could always learn something new. Now we are stuck with Little APK and his notepad host file editor spam. The good days are behind us.

-GeekPoet

17++ yrs. Dr. Hipp (been there THAT long)

See subject: You built SQLite starting in the Navy but what's in my subject's fact - & why I posted https://it.slashdot.org/comments.pl?sid=10606043&cid=54410839/ as to WHY I elected NOT to use SQLite (& yes, I thought about it - makes dedup extremely fast via I would wager a Select * distinct type query, assuming your product uses std. SQL that is - I don't use it, I don't know)...

* Above ALL else - Hey, I'm not knocking you man (honestly) as I respect your work but from what I've read? WHY DID YOU ELECT TO USE C (buffer overflow exploitation galore via null-terminated strings) as its base constructing language?? Object Pascal HAS string length "built-in" to each string (no possible of that same issue)

It's integrated (iirc, SQLite compiles INTO the app statically? Not a lib?? Correct me here/set me straight - big on that here - Why I like Delphi's Object-Pascal's VCL is THAT very reason - less "moving parts" hanging around etc.)

APK

P.S.=> My guess? It's the language you KNEW how to use best & went w/ it - right? Correct me when & where I am "off" here - & always a pleasure to speak to someone who might be considered a "luminary" of sorts (you'd be one of them imo - John Carmack's been another as well as Cliff Stoll whom I am spoken w/ here)... apk

Re:17++ yrs. Dr. Hipp (been there THAT long)

To me you sound like a drunk troll that actually, purposely or not, gives actual object pascal users a bad reputation. None of your accusations/questions or arguments make sense, and same goes for your writing style.

Hipp made a great piece of software that over time is more widely adapted than anyone ever imagined. If you don't like it, don't use it. But if his design is 'so wrong' as you try to claim, question yourself why this piece of lightweight portable code has become so massively popular.

Now, please get back to your basement and dont' come trolling out for the next 10 years please.

FFMpeg

This is great news, that solution has consistently been problem, going back years. Its good to see its finally getting some attention.

Re:What value is google providing?

[WaffleMonster]

It was mentioned what 3rd party tools were being used.

https://opensource.googleblog....

Where? I don't see any credit given to the people who actually wrote the fuzz software in blog post referenced in TFA.

What do you expect a front page NYT article?

I expect to see proper attribution. Normally I wouldn't care but Google is requiring people to credit it's bot which primarily executes software Google didn't write. This is BS in my view.

Re: Why my program doesn't use SQLite

[Brockmire]

Because you have a backdoor in it. Or just embarrassed by how shitty your code is.

And how many in closed source again?

[UnknownSoldier]

At least in the open source you a) KNOW about the bugs, and b) can fix them.

In closed source bugs can remain hidden for DECADES.

i.e. The WMF bug was fixed in 2006 but has existed since the Windows 3.x days (1990).

Do-nothing blowhard "Brockmire"!

See subject (it's you): Malwarebytes' hpHosts personnel verified my code as safe (they wouldn't host it otherwise much less RECOMMEND it above others as they do) & yes ~60 antivirus programs @ Google's VirusTotal further verify it as safe/clean https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

* You've done BETTER & earlier blowhard "ne'er-do-well" windbag "Brockmire"? Prove it...

APK

P.S.=> FAKE NAME fucks like you (for your fake do-nothing lives)? Make me LAUGH (@ "your kind")... apk

Why my program doesn't use SQLite

See subject: An inferior competitor hostsman does (& it's what I've warned of using others' libs/code - bugs). You must wait out a fix (IF it happens).

THE ARTICLE PROVES MY POINT!

Hostsman is stuck in 32-bit ONLY (mine does both 32/64-bit) & doesn't do hardcoded favorites where you spend most time online resolving faster locally in system RAM via hosts @ TOP of hosts (for fastest resolution) & protecting you vs. DNS level tracking + security issues dns has - mine does & is SINGLE "standalone" .exe portable multithreaded design (no dependence on BUGGY SQLite).

* BEST hosts file program? Accept NO substitute APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

APK

P.S.=> I won't "openSORES" it - Google EFast = why (a malware created via Chrome's openSORES)... apk

Re:What value is google providing?

[Dutch+Gun]

Few others can devote such intense, continuous computational resources to finding bugs. Fuzz testing relies on a lot of brute-force computational power to test such a unfathomable number of potential test permutations, and it seems like this is essentially what they're providing.

Given how many bugs they've found, I'd call "promotion of a worthwhile service" rather than "attention whoring". I mean, Google is essentially sponsoring projects to help make them more secure.

I understand your point about attribution, but I think you're underestimating Google's contribution as well.

Re: Why my program doesn't use SQLite

The more I read your posts APK, the less I want to use your product. You show such a skewed perspective on everything that I wouldn't trust anything you spam, I mean sell.

I merely state facts this article seconds

See subject: I merely state facts this article seconds - that's all. In the end? I am GLAD I chose to write my own code, by hand, vs. dependence on others work that has issues (now hopefully fixed).

APK

P.S.=> Especially vs. security issues... apk

Re:Why my program doesn't use SQLite

What do you mean "portable, multi-threaded design", I just saw you rip in to someone not too long ago suggesting you process your hosts list in a background thread to prevent your UI from becoming non-responsive and you stated that it was impossible since the VCL was not threadsafe. Come back when you get an education moron, and you won't need to ask developers why they would rather use C than Object Pascal for one of the most stable and respected databases on the planet. You have no clue what you are even fucking talking about in almost every post you make.

I merely state facts you can't handle

1st, you fool yourself - thought's too complex for "your kind". Widely used full of bugs is GOOD? I know not.

* Knew this was coming using others' libs or code - hence why I avoided using SQLite (or other 3rd party code in most shareware/freeware work I've done over time).

APK

P.S.=> However: At least Hipp produced something. He's a "doer" (I won't take that from him he earned it) - but you & "your kind" - mere "ne'er-do-well" talkers? YOU'RE ALL HOT-AIR BLOWHARD WINDBAG DO-NOTHING TALK & nothing more... apk

As to my ware & reputation? /.'ers speak

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

take a look at the APK hosts file engine by SuperKendall

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

* My code's liked + recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> Per my subject & your crap you tried feeding me "ne'er-do-well"? You've done BETTER?? Prove it... apk

Mr. wannabe security pro: REAL pros differ

Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.com/columnists/491/ "Host file accessing the Internet - particularly browsing the Web - is actually faster... Spybot Search & Destroy offer lists of known malicious servers to add a layer of defense against trojans & other forms of malware"

OReilly hosts security -> http://oreilly.com/pub/a/windows/2004/03/30/hosts.html/ & hosts speed -> http://www.oreillynet.com/pub/a/network/excerpt/winxphacks_chap1/index1.html?page=3/

Steve Gibson endorses hosts https://www.grc.com/sn/sn-045.htm/

Aryeh Goretsky/ESET/NOD32: hosts = good security http://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/

Malwarebytes hpHosts' hosts/RECOMMENDS me!

Brocke Wilders of WILDERS' SECURITY does inferior clone of MY work http://www.wilderssecurity.com/threads/hosts-block.378901/

APK

P.S.=> China = imitation = flattery http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/

Dear do-nothing "ne'er-do-well"

See subject: My program's MY work, no bugs to date & it's done well by many 1,000's e.g. -> https://it.slashdot.org/comments.pl?sid=10606043&cid=54413665/

* You've done better?

My other post w/ REAL security & web pros put your wannabe ALLEGED "know-it-all" all talk ass away on SECURITY & SPEED hosts yield https://it.slashdot.org/comments.pl?sid=10606043&cid=54413749/ chump!

It's no mere notepad (shows how dumb you are in that alone) & not written in VB or anyone else's code (which this article proves can be a BIG mistake with others' code that's FULL OF BUGS!

APK

P.S.=> So, again - Asking you a question above now in bold YOU CAN'T ANSWER talker (no doer) - you've done BETTER? Prove it ("your kind", can't, ever, lol)... apk

Exactly what I said I mean (learn to read)

It spawns up to 8 added threads for reverse DNS of fav sites where you spend most time (speeds up resolution locally from system RAM as hosts is cached & it is, it's just a file & PROTECTS YOU VS. DNS down (see China's "imitation=sincerest form of flattery" to my credit using hosts that way LONG before them http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ OR vs. DNS numerous security & inefficiency issues galore https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/ )

* I'm move my program around in AeroGlass in Win7 easily - under GDI/Win32 the progressbars work just fine also!

(YOU PROJECT YOU DON'T KNOW WHAT YOU'RE TALKING ABOUT troll "ne'er-do-well" + You're welcome to do BETTER but you can't)

APK

P.S.=> VCL != threadsafe. I do my non-visible work in StringLists + reverse DNS code on threads (non-VCL)... apk

Dr. Hipp's not answering me: Why?

See subject (says it all) & blowing you away on threadwork https://it.slashdot.org/comments.pl?sid=10606043&cid=54414317/ was just "too, Too, TOO EASY - just '2ez'" bullshit artist UNIDENTIFIABLE anonymous troll! Yes, My program is also PORTABLE & multithreaded (effective where it matters & YOU LOSE on VCL fool (I don't thread that part)).

* Using C has EXACTLY the problem I noted in it - null terminated strings open the possibility of BUFFER OVERFLOW EXPLOITS fool!

(Pascal has NO SUCH PROBLEM - string length is already incorporated in its stringhandling - no having to use added slowups of strlen check functions (ala sending 2 pointers thru the character array of the string & 1 is double the size of the other, when the larger no longer advances you have midpoint - double that for length of string vs. buffer overflow of data inputs)).

* Stable & RESPECTED? More like it had BUGS for 17++ yrs.! I want to know how to replace the OLD buggy one w/ his new patch in my browser!

It's why I contacted him but he RAN!

APK

P.S.=> Point-blank - YOU don't have the BRAINS to take me on - between THIS post & the one in the link above? Give up chump - & if you haven't noticed? Dr. Hipp RAN from this from me too https://it.slashdot.org/comments.pl?sid=10606043&cid=54411183/ - "Gosh, I wonder WHY?" (not)... apk

Re:Why my program doesn't use SQLite

Untrue, in SQLite you are free to fix any problems you wish as the code is public domain. Unlike a closed source application such as your own which leaves the user completely at your mercy.

How do I patch Opera 12.18 64-bit then?

See subject: I asked Dr. Hipp that but he RAN! How about an inferior competitor of mine that uses SQLite (hostsman)? Opera USES SQLite (buggy model as this article PROVES).

* My code STAYS CLOSED - I'm not as DUMB as Google was (witness Chrome "EFast" misuse of Chrome code for malware!).

WHEN A LIB or body of CODE goes bad as SQLite has shown it has? USERS, even myself, ARE @ THEIR TURNAROUND TIME & SUPPORT MERCY!

(Not the other way around, but "nice try" (not) pulling your crap - & answer my question above!)

APK

P.S.=> Since I publicly released my program in 2012 not a SINGLE security issue OR even a BUG has come up & IF it did? I'd be on it like "white on rice" & fix it quickly (ask Mr. Steven Burn of Malwarebytes' hpHosts how FAST I am @ patches - clue: SAME DAY usually, it's my code, I get it completely)... apk