Google open-sourced their fuzz testing tool Clusterfuzz. The tool uses fuzz testing to find bugs. Fuzz testing is an automated software technique for finding programming errors, some of which can negatively impact security or software stability.
According to Google, Clusterfuzz has helped find over 16,000 bugs in Chrome, as well as over 11,000 bugs in open source projects integrated with OSS-Fuzz.
The tool helps developers save time by automating some of testing. Developers and Quality Assurance teams can use ClusterFuzz with many languages, however it is most recommended for C/C++.
Google said “ClusterFuzz simple to integrate and it works fast and is often able to detect bugs hours after they are introduced and verify the fix within a day”.
Some notable ClusterFuzz features include:
- Highly scalable. Google’s internal instance runs on over 25,000 machines.
- Accurate deduplication of crashes.
- Fully automatic bug filing and closing for issue trackers (Monorail only for now).
- Testcase minimization.
- Regression finding through bisection.
- Statistics for analyzing fuzzer performance, and crash rates.
Developers can find ClusterFuzz’s source code on GitHub using the following link: github.com/google/clusterfuzz