Announcing OSS-Fuzz: Continuous Fuzzing for Open Source Software

Awesome, it&#x27;s found a few bugs with Sqlite3 already: <a href="https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;oss-fuzz&#x2F;issues&#x2F;list?can=1&amp;q=type%3DBug-Security%2CBug+-component%3AInfra+status%3AFixed%2CVerified+sqlite3&amp;sort=-id&amp;colspec=ID+Type+Component+Status+Library+Reported+Owner+Summary&amp;cells=ids" rel="nofollow">https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;oss-fuzz&#x2F;issues&#x2F;list?can=1&amp;q=typ...</a>

On the topic of fuzz testing, Python has an excellent library for property-based testing called Hypothesis [0] [1]. I don&#x27;t think it does guided testing like AFL or libFuzzer (which OSS-Fuzz uses), but it&#x27;s very powerful nonetheless.<p>[0] <a href="http:&#x2F;&#x2F;hypothesis.works&#x2F;" rel="nofollow">http:&#x2F;&#x2F;hypothesis.works&#x2F;</a><p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;HypothesisWorks&#x2F;hypothesis-python" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;HypothesisWorks&#x2F;hypothesis-python</a>

I&#x27;d like to see openssh added to the list of fuzzed projects.

&gt; Recent security stories confirm that errors like buffer overflow and use-after-free can have serious, widespread consequences when they occur in critical open source software.<p>This project is awesome and incredibly valuable but what alternatives are there to making the libraries it checks more secure besides rewriting them in another language? When languages exist where buffer overflows and use-after-free are essentially impossible it&#x27;s a bit depressing that we have to rely on fuzzing unless fuzzing can find these kinds of bugs with high reliability?

&gt; <i>In order for a project to be accepted to OSS-Fuzz, it needs to have a large user base and&#x2F;or be critical to Global IT infrastructure</i><p>Let&#x27;s see - Firefox and&#x2F;or the Tor browser? I imagine Google wouldn&#x27;t be too happy about doing free security research for Firefox, but it seems to fit the bill quite well for the goals and mission of the Core Infrastructure Initiative organization.