Submitting SQLCipher to Google's security fuzzer


#1

Google is soliciting security sensitive, open source projects to submit “fuzzing” recipes to their new “continuous fuzzing” service the developed as part of Chrome:

Based on feedback and inspiration gained at Core Infrastructure Workshops, and from many of you in other venues, we are launching a pilot program aimed at making continuous fuzzing an integral part of every Open Source library that consumes untrusted or complex inputs. This is a big challenge, and we would love your participation and help!

As a part of this program, we are starting to beta-test OSS-FUZZ (
https://github.com/google/oss-fuzz), a piece of infrastructure that will
allow OSS projects to benefit from our end-to-end automated fuzzing
system. OSS-FUZZ is a thin layer on top of ClusterFuzz
https://blog.chromium.org/2012/04/fuzzing-for-security.html, the
large-scale fuzzing infrastructure that found thousands of bugs in
Chrome

Since sqlcipher already runs on GNU/Linux x86_64 and there is already a sqlite3 recipe, this should be quite easy to do:
https://github.com/google/oss-fuzz/tree/master/targets/sqlite3

I was thinking of doing it myself, but I’m poorly positioned these days to respond to the issues that they find. So I’m bringing it up here! :slight_smile:


#2

Hi @eighthave

Thanks for sharing this, it certainly looks pretty interesting. We will look into it further to see if it is something we can utilize. Thanks again!