Nand Kishor Contributor

Nand Kishor is the Product Manager of House of Bots. After finishing his studies in computer science, he ideated & re-launched Real Estate Business Intelligence Tool, where he created one of the leading Business Intelligence Tool for property price analysis in 2012. He also writes, research and sharing knowledge about Artificial Intelligence (AI), Machine Learning (ML), Data Science, Big Data, Python Language etc... ...

Follow on

Nand Kishor is the Product Manager of House of Bots. After finishing his studies in computer science, he ideated & re-launched Real Estate Business Intelligence Tool, where he created one of the leading Business Intelligence Tool for property price analysis in 2012. He also writes, research and sharing knowledge about Artificial Intelligence (AI), Machine Learning (ML), Data Science, Big Data, Python Language etc...

3 Best Programming Languages For Internet of Things Development In 2018
9 days ago

Data science is the big draw in business schools
182 days ago

7 Effective Methods for Fitting a Liner
192 days ago

3 Thoughts on Why Deep Learning Works So Well
192 days ago

3 million at risk from the rise of robots
192 days ago

Top 10 Hot Artificial Intelligence (AI) Technologies
211611 views

Here's why so many data scientists are leaving their jobs
75285 views

Want to be a millionaire before you turn 25? Study artificial intelligence or machine learning
68271 views

2018 Data Science Interview Questions for Top Tech Companies
58698 views

Google announces scholarship program to train 1.3 lakh Indian developers in emerging technologies
56760 views

Google's Fuzz bot exposes over 1,000 open-source bugs

May 10, 2017 | 4494 Views

Google's OSS-Fuzz bug-hunting robot has been hard at work, and in recent months, over 1,000 bugs have been exposed.

According to Chrome Security engineers Oliver Chang and Abhishek Arya, software engineer Kostya Serebryany, and Google Security program manager Josh Armour, the OSS-Fuzz bot has been scouring the web over the past five months in the pursuit of security vulnerabilities which can be exploited.

The OSS-Fuzz bot uses a technique called fuzzing to find bugs. Fuzzing is an automatic method of using large amounts of random data against a system or software in an attempt to make it crash. By doing so, fuzzing can ferret out bugs and potential vulnerabilities quickly without the process being labor-intensive for security professionals.

The process itself is well-established, and with the introduction of OSS-Fuzz to the community at large this year, over 10 trillion test inputs are being processed every day. Together with the open-source community, over 1,000 bugs have been discovered across 47 projects, of which 264 are potential security vulnerabilities.

The bugs and potential security issues uncovered include heap buffer overflow problems, use-after-free vulnerabilities, stack overflows, and data leaks. However, fuzzing does not just focus on memory-related problems but also records correctness or logic bugs.

Notably, OSS-Fuzz has found numerous security vulnerabilities in high-profile projects which provide support and components to well-known consumer software. In total, 10 bugs were discovered in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark. (Some discoveries have collided with other researchers' work and some are view-restricted.)

"Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, so that the chances of users being affected is reduced," Google says.

Google believes that as a security tool, fuzzing should be adopted in the mainstream. To this end, the tech giant is expanding the Patch Rewards program to include rewards for IT professionals who utilize the bot.

To qualify, projects much have a large user base or global IT infrastructure. When OSS-Fuzz is first introduced a reward of $1,000 is given, and for what Google considers "ideal integration," up to $20,000 is up for grabs. Should vendors and staff choose to donate their reward to charity, this amount is doubled.

Interested parties can contact Google to apply.

"We'd like to thank the existing contributors who integrated their projects and fixed countless bugs," the Google team says. "We hope to see more projects integrated into OSS-Fuzz, and greater adoption of fuzzing as standard practice when developing software." Read More

Source: ZDnet