Google is soliciting security sensitive, open source projects to submit “fuzzing” recipes to their new “continuous fuzzing” service the developed as part of Chrome:
Based on feedback and inspiration gained at Core Infrastructure Workshops, and from many of you in other venues, we are launching a pilot program aimed at making continuous fuzzing an integral part of every Open Source library that consumes untrusted or complex inputs. This is a big challenge, and we would love your participation and help!
As a part of this program, we are starting to beta-test OSS-FUZZ (
GitHub - google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.), a piece of infrastructure that will
allow OSS projects to benefit from our end-to-end automated fuzzing
system. OSS-FUZZ is a thin layer on top of ClusterFuzz
https://blog.chromium.org/2012/04/fuzzing-for-security.html, the
large-scale fuzzing infrastructure that found thousands of bugs in
Chrome
Since sqlcipher already runs on GNU/Linux x86_64 and there is already a sqlite3 recipe, this should be quite easy to do:
https://github.com/google/oss-fuzz/tree/master/targets/sqlite3
I was thinking of doing it myself, but I’m poorly positioned these days to respond to the issues that they find. So I’m bringing it up here! 