Google: We've open-sourced ClusterFuzz tool that found 16,000 bugs in Chrome

Google's automated bug-finding tool is now available to all software developers.
Written by Liam Tung, Contributing Writer

Google has open sourced ClusterFuzz, one of its automated bug-hunting tools that has helped it find around 16,000 bugs in Chrome. 

The so-called fuzzing tool, or rather infrastructure, is adept at finding memory-corruption bugs that often end up requiring a security patch. 

Until now, only Google engineers and select open-source projects have been able to use ClusterFuzz. But now any software developer can use the automated bug hunter, Google has announced.  

Google has employed ClusterFuzz in tandem with OSS-Fuzz, another fuzzing tool it open-sourced two years ago. Together, OSS-Fuzz and ClusterFuzz have uncovered 11,000 bugs in 160 open-source projects. Meanwhile, ClusterFuzz has found 16,000 bugs in Chrome, helping Google patch a browser that's used by over a billion people. 

Google's instances of ClusterFuzz run on over 25,000 machines on the Google Cloud Platform, relying on Google's cloud-storage, database, monitoring and data-warehouse technologies. 

However, now that it's open, developers can also test ClusterFuzz on local clusters with a few limitations due to features dependent on Google Cloud. 

The way it works in Google cloud is that Google uploads the program it wants to test, throws unexpected inputs at it, and after finding a crash, it automatically files a bug, and engineers set to work on fixing it. 

For the most part though the workflow is automated, including bug detection, triage, bug reporting, and closing off a bug report.

SEE: Special report: How to automate the enterprise (free ebook)

As Google notes, automated testing offered by fuzzing products as complex as a browser saves time and catches bugs that can slip through manual code reviews. Back in 2012, Google was using ClusterFuzz to run 50 million test cases per day against various Chrome builds. 

Significant open-source projects have been able to apply to be accepted onto the OSS-Fuzz program for few years now, and receive bug reports from Google. Only software projects with either a large user base or that play a critical role in global IT infrastructure can join. 

Those that are accepted to the program also get access to ClusterFuzz tools, such as crash and fuzzing statistics, and they're expected to meet Google's 90 disclosure deadline.  

Google late last year beefed up automation features of OSS-Fuzz in the cloud so that bugs found with the tool no longer need to be manually reported to public bug trackers.  

Google hopes that by opening up ClusterFuzz to all, it will encourage all software developers – not just open source developers – to integrate fuzzing into their workflows. 

"We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed," Google's ClusterFuzz team writes. 

"It is an integral part of the development process of Chrome and many other open-source projects," they added.

Previous and related coverage

Google's Project Zero fuzzed top browsers for bugs: Safari users won't like the results

Google's Project Zero releases the open-source tool it used to find new bugs in major browsers.

Google: Apple, your sneaky iPhone patching is endangering users

If I can find these bugs using public tools, think what baddies can do with secret ones, says Project Zero expert.

Microsoft security chief: IE is not a browser, so stop using it as your default

Internet Explorer is a 'compatibility solution' and should only be used selectively, warns Microsoft exec.

Faster Chrome? Google tests 'Never-Slow Mode' for speedier browsing

Google is trying out a feature for Chrome that aims to deliver a consistently quick browsing experience.

Google Chrome to get warnings for 'lookalike URLs'

Chrome to show warnings when accessing mistyped domains.

Google Chrome could soon kill off most ad-blocker extensions

Ad-blocker developers fear their Chrome extensions will be wiped out by proposed changes to Chrome APIs.

Google Chrome to get warnings for 'lookalike URLs'

Chrome to show warnings when accessing mistyped domains.

Google Chrome to add drive-by-download protection

Firefox and Internet Explorer already have this feature, since at least 2015.

Google releases Chrome 71 with a focus on security features

Google improves Chrome's ability to filter abusive ads and detect shady mobile subscription forms.

Google Chrome 72 removes HPKP, deprecates TLS 1.0 and TLS 1.1

Google security engineers also fixed 58 security bugs.

Microsoft confirms that Chrome extensions will run on new Edge browser

Microsoft's Chromium-based Edge browser could close the extension gap.

Google: Here's how our Chrome ad blocker is killing off pirates

And Google makes the case against using search copyright takedowns to combat piracy.

Google restores 'www' to Chrome URLs after user backlash

But not for long - they will be gone again by Chrome 70.

Google cuts fake ad blockers from Chrome Store: Were you among 20 million fooled?

Bogus ad-blocker extensions in the Chrome Web Store trick millions of people into installing them.

What enterprises need to know about the new Chromium-based Edge browser TechRepublic

How will Microsoft be able to maintain its own browser priorities once it no longer controls the destiny of its own browser engine? 

Google cracks down on malicious Chrome extensions CNET

A more rigorous review process that includes more humans seeks to better scrutinize extensions that demand lots of power. 

Editorial standards