Google open-sources internal tool for finding font-related security bugs

Google Project Zero releases BrokenType, a tool that found nearly 40 security bugs in Windows font rasterization components


Google has open-sourced an internal tool that can help security researchers find security bugs in font display (rasterization) components.

The tool is named BrokenType and is the work of Google Project Zero security engineer Mateusz Jurczyk, one of the leading experts in font-related security bugs [1, 2, 3].

At its core, BrokenType is a fuzzer, which is a special tool that feeds a software application with large quantities of random data and analyzes their output for abnormalities --which, in turn, give developers a hint about the presence of possible bugs in their code.

Just like most Google open-source projects, BrokenType is a respectable and battle-tested tool. Jurczyk says he used BrokenType between 2015 and 2017 to find and report 20 vulnerabilities in the Windows kernel font rasterization library, and another 19 security flaws in Microsoft Uniscribe, a Windows API for controlling the operating system's typography settings.

Jurczyk says that BrokenType will help security researchers identify vulnerabilities affecting libraries used for rendering TrueType and OpenType fonts, the two most widespread font formats used today.

Due to the crucial importance and prevalence of font rastering libraries in practically every desktop and mobile operating systems, font security issues are highly sought-after by attackers, as one vulnerability alone could allow threat actors to target a multitude of OS versions and platforms.

For example, HackingTeam, an Italian company that sells hacking tools to governments, was known to have owned and peddled exploits that targeted font-related vulnerabilities.

Rarely has a year gone by in recent memory without a major font-related security issue affecting Windows users, such as those reported in 2013, 2015, 2016, 2017, and even this year, in 2018.

Furthermore, font issues aren't limited to OS-level components, but also affect font rasterization libraries embedded with more complex software such as Firefox or Adobe Reader, just to name a few.

This is not the first time that Google engineers have open-sourced a fuzzing tool.

Google previously released a fuzzing tool named Flayer in 2007. At the time, Google said its engineers used Flayer to discover several bugs in projects like OpenSSH, OpenSSL, LibTIFF, and libPNG.

The search giant's engineers later open-sourced two other fuzzers called Syzkaller and OSS-Fuzz, one for fuzzing OS kernel components, and the other for fuzzing more mundane and run-of-the-mill open source projects and libraries.

Last but not least, Google open-sourced Domato in late 2017, a fuzzer for finding vulnerabilities in modern browsers. At the time, Google said Domato helped its engineers identify and report 31 security bugs in modern browsers, most of which were found in Safari.

Related coverage: