wolfSSL and OSS-Fuzz

Recently, Google announced OSS-Fuzz with the aim of making “common open source software more secure and stable by combining modern fuzzing techniques and scalable distributed execution.” And when they said that they would like to see us at OSS-Fuzz, we were interested.

You can read up on OSS-Fuzz at their official Github page, but to summarize the whole thing, it is at it’s core an entry point to Google’s expansive ClusterFuzz system. ClusterFuzz itself is an impressive network of virtual machines utilized originally for fuzz testing the Chrome project, but since opened up to other security software.

On our end, we expect to see a massive increase in our capability to test the wolfSSL library. Any bug found will be disclosed to wolfSSL, then giving us 90 days to release a patch for it before Google discloses its existence to the world.

On your end, you will have access to bugs that are found by this service. It also acts as a mechanism to hold us accountable. Once ClusterFuzz finds and logs a vulnerability, that vulnerability will be made public whether we fix it or not. This, of course, just keeps the pressure on us to keep wolfSSL as secure as possible.

Currently, the plan is to continue our own internal fuzzing projects, and test the waters over at OSS-Fuzz to see just how valuable we end up finding the service. If we like the results that we end up getting, we plan to increase the amount of fuzzing we do through OSS-Fuzz.