Google open-sources Atheris, a tool for finding security bugs in Python code

Atheris helps developers find bugs in Python-based codebases using a technique called fuzzing.

atheris squamigera, green bush viper

Atheris squamigera, also known as a green bush viper

Image: sipa

Google's security experts have open-sourced another automated fuzzing utility in the hopes that developers will use it to find security bugs and patch vulnerabilities before they are exploited.

Named Atheris, the project is a classic fuzzer.

A fuzzer (or fuzzing tool) and the technique of fuzzing work by feeding a software application with large quantities of random data and analyzing its output for abnormalities and crashes, which give developers a hint about the presence and location of possible bugs in an app's code.

Across the years, Google's security researchers have been some of the biggest promoters of using fuzzing tools to discover not only mundane bugs but also dangerous vulnerabilities that could be exploited by attackers.

Since 2013, Google security researchers have created and later open-sourced several fuzzing tools, including the likes of OSS-FuzzSyzkallerClusterFuzzFuzzilli, and BrokenType.

But all of these tools have been created for discovering bugs in C or C++ applications.

A fuzzer for the growing Python codebase

Atheris is Google's answer to the rising popularity of the Python programming language, currently ranked 3rd in last month's TIOBE index.

Developed internally at Google in a hackaton last October, Atheris supports fuzzing Python code written in Python 2.7 and Python 3.3+, but also native extensions created with CPython.

However, Google says that Atheris works best with code in Python 3.8 and later, where new features added to the Python programming language can help Atheris find even more bugs than in code written in older Python code.

Google has open-sourced the Atheris code on GitHub, and the fuzzer is also available on PyPI, the Python package repository.

Going forward, Google says it also plans to add support for Atheris fuzz tests on OSS-Fuzz, a hosted platform that lets developers fuzz open-source projects for security flaws. Previously, this platform supported only C and C++ fuzzing, and was extremely successful, being used to find thousands of bugs across the years. As of June 2020, OSS-Fuzz has found over 20,000 bugs in 300 open source projects.