How fuzzing can make your open-source project more secure and reliable

etcd integrates continuous fuzzing to validate and improve security

How fuzzing can make your open-source project more secure and reliable

Finding and addressing vulnerabilities in code in a timely manner is critical to develop and maintain secure software. Unit testing new code changes is a common practice to maintain code quality. When test-driven development methodologies are employed, any new code must pass existing unit tests and pass one or more new tests as needed. While unit tests are typically quick to write and run, they are ideal for small-scale stress and load because they are typically limited by a small set of hardcoded inputs needed for the test. The fuzz testing is helpful for testing code with a large set of random inputs. A good set of fuzz test programs (also called fuzzers) together with comprehensive unit test coverage can give you high confidence of code’s quality and security.

This blog post introduces you to fuzzing, describes how the etcd project integrated fuzzing to validate the quality of its code and make the project more secure, and how you can explore fuzzing for an open source project that you work on.

What is fuzzing?

Fuzzing analyzes the vulnerability of software through programmatic code testing. Fuzzing helps uncover programming errors in software that cannot possibly be captured otherwise, so they play a significant role in keeping software secure. Because of its ability to uncover reliability bugs and vulnerabilities in software, many open source projects are increasingly adopting this type of testing.

Open source services like OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.

Integrating fuzzing into etcd project

etcd is an open source, strongly consistent, distributed key-value store to reliably store data that a distributed system or cluster of machines needs to be accessed. etcd is a critical component of Kubernetes where it is used as the primary data store for cluster data such as the clusters state and desired state data. In the past, CNCF has sponsored a third-party security audit for the etcd project, and you can read more about it in my related blog post.

etcd recently integrated continuous fuzzing using the OSS-Fuzz project. The work was funded by the CNCF and a team at Ada Logics, Adam Korczynski and David Korczynski, developed a set of 18 fuzzers to ensure etcd security coverage and stability. The primary focus in this engagement was to test for code errors. The types of errors that we were looking for include:

  • out of bounds
  • out of range
  • nil-pointer dereference
  • faulty type assertion
  • out of memory
  • off-by-one
  • infinite loop
  • timeout
  • divide by zero

Eight bugs were found within etcd and are being addressed. You can read more about the details of findings and full report in my blog post that I co-authored with Adam and David.

The fuzzers are stored at the cncf-fuzzing repository. Besides etcd, you can also find fuzzers developed for other CNCF projects.

Use fuzzing in your project and join us at etcd

If you are working on an open-source project which is hosted under CNCF, and not yet covered with fuzz testing, you should take advantage of CNCF sponsoring for fuzzing. Any qualified open source projects can also explore free services like OSS-Fuzz and OpenSSF tools like Fuzz introspector or other third-party services.

For any widely used open source project like etcd, the contribution from new contributors is important for the health and continuous improvement of the project. You can contribute to the fuzzing work or any general areas of the etcd. The etcd GitHub repository is the best place to get involved with the etcd project contributions. The How to Contribute doc provides more details and resources for new contributors to get involved with the project.