Announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds has revealed that fuzzing is producing a steady stream of security fixes.
Fuzzing involves stress testing a system by generating random code to induce errors, which in turn may help identify potential security flaws. Fuzzing is helping software developers catch bugs before shipping software to users.
Google uses a variety of fuzzing tools to find bugs in its and other vendors’ software. Microsoft has launched the Project Springfield fuzzing service to allow enterprise customers to test their own software.
As Torvalds points out, Linux kernel developers have been using fuzzing programs since the beginning, such as tools like “crashme”, which was released in 1991 and nearly 20 years later was used by Google security researcher Tavis Ormandy to test how well shielded a host is when untrusted data is being processed in a virtual machine.
“The other thing perhaps worth mentioning is how much random fuzzing people are doing, and it’s finding things,” writes Torvalds.