Google’s open source fuzz-testing service, OSS-Fuzz, now supports applications written in Java and JVM-based languages. The capability was announced on March 10.
OSS-Fuzz provides continuous fuzzing for open source software. A technique for finding programming errors and security vulnerabilities in software, fuzzing involves sending a stream of semi-random and invalid input to a program. Fuzzing code written in memory-safe languages such as JVM languages can find bugs that cause programs to crash or behave incorrectly.
Google enabled fuzzing for Java and the JVM by integrating OSS-Fuzz with the Jazzer fuzzer from Code Intelligence. Jazzer enables users to fuzz code written in JVM-based languages via the LLVM project’s libFuzzer, an in-process, coverage-guided fuzzing engine, similar to how this has been done for C/C++ code. Languages supported by Jazzer include Java, Clojure, Kotlin, and Scala. Code coverage feedback is provided from JVM bytecode to libFuzzer, with Jazzer supporting libFuzzer features including:
- FuzzedDataProvider, for fuzzing code that does not accept an array of bytes.
- Evaluation of code coverage based on 8-bit edge counters.
- Minimization of crashing inputs.
- Value profiles.
Google has provided documentation on adding open source projects written in JVM languages to OSS-Fuzz. Plans call for Jazzer to support all lIbFuzzer features eventually. Jazzer also can provide coverage feedback from native code executed through the Java Native Interface. This can uncover memory corruption vulnerabilities in memory-unsafe native code. OSS-Fuzz also lists languages such as Go, Python, C/C++, and Rust as supported languages.