Google Takes Security up a Notch for CI/CD With ClusterFuzzLite

Google makes fuzzing easier and faster with ClusterFuzzLite

Nov. 24, 2021, 1:26 a.m.

TL;DR

Google noticed the increase in attention given to security with the recent happenings concerning cybersecurity around the world. The tech giant then decided to support its customers by bringing ClusterFuzzLite security solutions into the software development process.

ClusterFuzzLite can be Integrated into GitHub users’ workflow with just a few lines of code.

Key Facts

1
ClusterFuzzLite is a solution that runs as part of continuous integration (CI) workflow.
2
It is easy to set up and integrate into GitHub users workflow
3
It is based on ClusterFuzz
4
It works in association with Google’s OSS-Fuzz program
5
It supports a number of program languages, including C++, C, Go, Python, etc.

Details

With the increase in software supply chain attacks, increased security measure is now the order of the day. Code testing is now more needed than ever to catch vulnerabilities quickly before moving the code to the next phase. Google LLC brought on ClusterFuzzLite, a continuous fuzzing solution that works with continuous integration workflow, and it finds vulnerabilities faster than ever. You might be wondering what fuzzing is; it is a debugging technique where you feed garbage to your program and see what happens.

ClusterFuzzLite supports three CI systems for now, including GitHub Actions, Prow, and Google Cloud Build, while they are working on other CI systems to support. ClusterFuzzLite can be Integrated into GitHub users’ workflow with just a few lines of code.

ClusterFuzzLite has two modes of fuzzing, which are code change fuzzing and batch fuzzing.

ClusterFuzzLite has a handful of a feature that makes it an efficient security tool. It has a pull request code change fuzzing to find bugs before they land. It has longer continuous fuzzing (batch fuzzing) to locate bugs missed while using the code change fuzzing, and it downloads crashing test cases. Its coverage report feature helps users know which part of the code has been fuzzed, and best of all - you can decide which feature to use for fuzzing or which one not to use.

ClusterFuzzLite has many of the features that ClusterFuzz (a scalable fuzzing infrastructure) has; they both have continuous fuzzing, sanitizer support, corpus management, and corporate report generation features. ClusterFuzzLite also uses the same toolchain as the OSS-Fuzz for easier building, meaning that ClusterFuzzLite will also build your project in a Docker container except that ClusterFuzzLite will make Dockerfile copy directly from the source code during docker build while OSS-Fuzz will use git clone to check your Dockerfile.

This first launch of ClusterFuzzLite only supports libFuzzer fuzzing engine; its sanitizers can also be used for AddressSanitizer (ASan) - to detect memory safety issues; UndefinedBehaviorSanitizer (UBSan) - to detect undefined behavior, e.g., integer overflow; MemorySanitizer (MSan) - to detect the use of uninitialized memory.

ClusterFuzzLite supports various languages: C, C++, Python, Rust, Swift, Go, and every JVM-based language.