Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / oss-fuzz / 9abf69c93d0fe58a96879a9dc64941f41b8db660 / . / README.md
blob: e3670d0935186a5b8cec9744521b6beb7ffe8b1c [file] [log] [blame] [view]
kplybon8216f272019-08-08 10:12:25 -0400[diff] [blame]1# OSS-Fuzz: Continuous Fuzzing for Open Source Software
Mike Aizatsky8f24df72016-10-25 14:31:45 -0700[diff] [blame]2
3[Fuzz testing](https://en.wikipedia.org/wiki/Fuzz_testing) is a well-known
kplybon8216f272019-08-08 10:12:25 -0400[diff] [blame]4technique for uncovering programming errors in software.
Max Moroz40a183b2019-08-09 12:35:14 -0700[diff] [blame]5Many of these detectable errors, like [buffer overflow](https://en.wikipedia.org/wiki/Buffer_overflow), can have serious security implications. Google has found [thousands] of security vulnerabilities and stability bugs by deploying [guided in-process fuzzing of Chrome components](https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html),
kplybond8af01c2019-08-09 15:24:43 -0400[diff] [blame]6and we now want to share that service with the open source community.
Mike Aizatsky8f24df72016-10-25 14:31:45 -0700[diff] [blame]7
Max Moroz40a183b2019-08-09 12:35:14 -0700[diff] [blame]8[thousands]: https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix&can=1
9
inferno-chromiuma660ca32016-11-23 08:35:07 -0800[diff] [blame]10In cooperation with the [Core Infrastructure Initiative](https://www.coreinfrastructure.org/),
11OSS-Fuzz aims to make common open source software more secure and stable by
kplybon8216f272019-08-08 10:12:25 -0400[diff] [blame]12combining modern fuzzing techniques with scalable,
Kostya Serebryanyb48c72b2016-11-18 16:47:25 -0800[diff] [blame]13distributed execution.
14
Abhishek Arya938735b2020-06-12 16:00:38 -0700[diff] [blame]15We support the [libFuzzer](http://llvm.org/docs/LibFuzzer.html), [AFL](https://lcamtuf.coredump.cx/afl/) and
16[Honggfuzz](https://github.com/google/honggfuzz) fuzzing engines
kplybon8216f272019-08-08 10:12:25 -0400[diff] [blame]17in combination with [Sanitizers](https://github.com/google/sanitizers), as well as
18[ClusterFuzz](https://github.com/google/clusterfuzz),
19a distributed fuzzer execution environment and reporting tool.
Mike Aizatsky8f24df72016-10-25 14:31:45 -0700[diff] [blame]20
jonathanmetzman984b7922019-08-19 14:07:33 -0700[diff] [blame]21Currently, OSS-Fuzz supports C/C++, Rust, and Go code. Other languages supported by [LLVM](http://llvm.org) may work too.
22OSS-Fuzz supports fuzzing x86_64 and i386 builds.
Kostya Serebryany229ffae2016-12-02 20:41:47 -0800[diff] [blame]23
kplybon8216f272019-08-08 10:12:25 -0400[diff] [blame]24## Overview
25![OSS-Fuzz process diagram](docs/images/process.png)
26
kplybon615ff3a2019-08-08 10:36:35 -0400[diff] [blame]27## Documentation
kplybon8216f272019-08-08 10:12:25 -0400[diff] [blame]28Read our [detailed documentation](https://google.github.io/oss-fuzz) to learn how to use OSS-Fuzz.
Max Morozaa9c2572018-12-11 13:56:48 -0800[diff] [blame]29
Oliver Chang9e0c1432016-10-25 20:44:34 -0700[diff] [blame]30## Trophies
Abhishek Arya9abf69c2020-06-12 16:03:07 -0700[diff] [blame^]31As of January 2020, OSS-Fuzz has found over [20,000] bugs in [300] open source projects.
Mike Aizatsky26819642016-10-06 14:02:52 -0700[diff] [blame]32
Abhishek Arya9abf69c2020-06-12 16:03:07 -0700[diff] [blame^]33[20,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=-status%3AWontFix%2CDuplicate%20-component%3AInfra&can=1
34[300]: https://github.com/google/oss-fuzz/tree/master/projects
Mike Aizatsky26819642016-10-06 14:02:52 -0700[diff] [blame]35
Abhishek Aryacf4af862019-08-07 07:37:16 -0700[diff] [blame]36## Blog posts
37
Abhishek Arya305e0472019-08-15 15:08:51 -0700[diff] [blame]38* 2016-12-01 - [Announcing OSS-Fuzz: Continuous fuzzing for open source software](https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html)
Abhishek Arya055f9832019-08-15 15:07:23 -0700[diff] [blame]39* 2017-05-08 - [OSS-Fuzz: Five months later, and rewarding projects](https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html)
40* 2018-11-06 - [A New Chapter for OSS-Fuzz](https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html)