Continuous fuzzing is an increasingly popular technique for automated quality and security assurance. Google maintains OSS-Fuzz: a continuous fuzzing service for open source software. We conduct the first empirical study of OSS-Fuzz, analyzing 23,907 bugs found in 316 projects. We examine the characteristics of fuzzer-found faults, the lifecycles of such faults, and the evolution of fuzzing campaigns over time. We find that OSS-Fuzz is often effective at quickly finding bugs, and developers are often quick to patch them. However, flaky bugs, timeouts, and out of memory errors are problematic, people rarely file CVEs for security vulnerabilities, and fuzzing campaigns often exhibit punctuated equilibria, where developers might be surprised by large spikes in bugs found. Our findings have implications on future fuzzing research and practice.
翻译:持续模糊是自动化质量和安全保障日益流行的一种技术。 谷歌维护开放源码软件:开放源码软件的持续模糊服务。 我们对开放源码软件进行了第一次实验性研究,分析了316个项目中发现的23,907个错误。 我们研究了模糊错误的特征、这些错误的生命周期以及模糊运动随时间推移的演变。 我们发现开放源码软件在迅速找到错误方面往往有效,开发者往往很快补好它们。 然而,防弹性错误、超时和记忆错误都存在问题,人们很少为安全弱点提交CTV,而模糊运动往往表现出不协调的平衡,开发者可能因发现的错误的大幅上升而感到惊讶。 我们的发现对未来的模糊研究和实践产生了影响。
相关内容
Source: Apple - iOS 8
微信扫码咨询专知VIP会员