One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 6786657 |
| Date de publication | 2022-09-08 12:00:15 (vue: 2022-09-08 16:06:27) |
| Titre | Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically |
| Texte | Posted by Jonathan Metzman, Dongge Liu and Oliver Chang, Google Open Source Security Team Recently, OSS-Fuzz-our community fuzzing service that regularly checks 700 critical open source projects for bugs-detected a serious vulnerability (CVE-2022-3008): a bug in the TinyGLTF project that could have allowed attackers to execute malicious code in projects using TinyGLTF as a dependency. The bug was soon patched, but the wider significance remains: OSS-Fuzz caught a trivially exploitable command injection vulnerability. This discovery shows that fuzzing, a type of testing once primarily known for detecting memory corruption vulnerabilities in C/C++ code, has considerable untapped potential to find broader classes of vulnerabilities. Though the TinyGLTF library is written in C++, this vulnerability is easily applicable to all programming languages and confirms that fuzzing is a beneficial and necessary testing method for all software projects. Fuzzing as a public service OSS-Fuzz was launched in 2016 in response to the Heartbleed vulnerability, discovered in one of the most popular open source projects for encrypting web traffic. The vulnerability had the potential to affect almost every internet user, yet was caused by a relatively simple memory buffer overflow bug that could have been detected by fuzzing-that is, by running the code on randomized inputs to intentionally cause unexpected behaviors or crashes that signal bugs. At the time, though, fuzzing was not widely used and was cumbersome for developers, requiring extensive manual effort. Google created OSS-Fuzz to fill this gap: it's a free service that runs fuzzers for open source projects and privately alerts developers to the bugs detected. Since its launch, OSS-Fuzz has become a critical service for the open source community, helping get more than 8,000 security vulnerabilities and more than 26,000 other bugs in open source projects fixed. With time, OSS-Fuzz has grown beyond C/C++ to detect problems in memory-safe languages such as Go, Rust, and Python. Google Cloud's Assured Open Source Software Service, which provides organizations a secure and curated set of open source dependencies, relies on OSS-Fuzz as a foundational layer of security scanning. OSS-Fuzz is also the basis for free fuzzing tools for the community, such as ClusterFuzzLite, which gives developers a streamlined way to fuzz both open source and proprietary code before committing changes to their projects. All of these efforts are part of Google's $10B commitment to improving cybersecurity and continued work to make open source software more secure for everyone. New classes of vulnerabilities Last December, OSS-Fuzz |
| Envoyé | Oui |
| Condensat | $10b $11 /loader 000 2016 2022 3008 337 700 a`echo access added additional affect alerts all allow allowed almost already also announced any applicable apply arbitrary are asset assured attackers automatically backticks based basis become been before behaviors beneficial benefits beyond both broader buffer bug bugs built but c++ c/c++ can cat caught cause caused chang changes checks classes cloud clusterfuzzlite code combined coming command commands commitment committing community concept confirms considerable continued contributor corruption corruption: could craft crashes created critical culprit cumbersome curated currently cve cybersecurity december dependencies dependency deserialization detect detected detecting detectors developed developers developing disclosure discovered discovering discovery dongge during easily echo effective effort efforts enable encrypting engines enjoy every everyone example exampler execute executed existing expand exploit exploitable exploited exploited$ exploits extended extensible extensive external file fill find finding first fixed format found foundational free from function fuzz fuzzers fuzzing gap: get getting gives gltf gltf# google grown had has have heartbleed helping highly hope iamhere images improve improving independent inject injection input input$ inputs insert inserted integrate integrating integration integrations intelligence intentionally internet involved issues its java javascript jazzer jonathan jvm known language languages languages; last launch launched layer ldap least level libraries library like liu log4shell lot make making malicious manual memory method metzman more most necessary new next not number oliver once one open organizations oss other over overflow parsing part patched path paths pay payload pending poc poc$ poc` pociamhere popular possible posted potential primarily privately problems program programming project projects proof proofs proprietary provides proving ptrace public python randomized recently regularly relatively relies remains: requiring response reward rewarded rewards running runs rust safe sanitizer sanitizers scanning secure security see serious service set showing shows signal significance simple since software soon source specific specifically streamlined string successfully such support swift systemsan take team testing than these those though through time tinygltf tools traffic traversal trivially two type types unexpected unexplored untapped uri use used user uses using version vulnerabilities vulnerability vulnerable want way ways: web which widely wider will work written yet “wordexp” |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.