OSS-Fuzzgen: Automated Fuzzing of Open Source Java Projects

Chan, Sheung Chi; Korczynski, Adam; Korczynski, David

Home // ICSEA 2023, The Eighteenth International Conference on Software Engineering Advances // View article

OSS-Fuzzgen: Automated Fuzzing of Open Source Java Projects

Authors:
Sheung Chi Chan
Adam Korczynski
David Korczynski

Keywords: OSS-Fuzz; Fuzz-Introspector; Java; fuzzing; security testing; libfuzzer.

Abstract:
OSS-Fuzz is an open source service for managing the fuzzing of open source projects. Open source projects integrate into OSS-Fuzz by adding a set of fuzzing harnesses targeting their project and relevant build logic for the OSS-Fuzz infrastructure. OSS-Fuzz will then build and run these harnesses continuously and report when finding any security or reliability issues. To date, OSS-Fuzz has reported tens of thousands of bugs in software and the list is continuously growing. Unfortunately, the process of integrating projects into OSS-Fuzz is still largely manual and both the creation of fuzzing harnesses and build setup are time-consuming tasks. In this paper, we propose OSS-Fuzzgen, a system that can automatically generate OSS-Fuzz integrations for open source Java projects, including fuzzing harness synthesis and build infrastructure generation. The input to OSS-Fuzzgen is a GitHub URL to a given open source project. The output is a list of ranked OSS-Fuzz integration candidates that can be run by OSS-Fuzz. We empirically evaluate our setup by running the system through more than 200 open source projects, which resulted in more than 100 generated OSS-Fuzz integrations. We manually inspect the results and submit 31 of these to OSS- Fuzz resulting in more than 50 reported bugs across the 31 projects. For 11 of these bugs, we submitted fixes to the relevant open source projects, and 9 fixes were accepted and merged into the upstream open source project. We have open-sourced OSS-Fuzzgen and the code is available on GitHub.

Pages: 51 to 57

Copyright: Copyright (c) IARIA, 2023

Publication date: November 13, 2023

Published in: conference

ISSN: 2308-4235

ISBN: 978-1-68558-098-8

Location: Valencia, Spain

Dates: from November 13, 2023 to November 17, 2023