Google’s OSS-Fuzz, a widely used open-source fuzz-testing service, has expanded its capabilities to include applications written in Java and other JVM-based languages. Announced on March 10, this enhancement allows OSS-Fuzz to support a broader range of applications, extending its fuzzing power to popular programming languages that run on the Java Virtual Machine (JVM), such as Java, Kotlin, Scala, and Clojure. This expansion will help developers identify security vulnerabilities and other bugs more efficiently across Java-based codebases.
Fuzzing is an effective technique for discovering programming errors and security flaws by feeding semi-random or invalid input into a program to test how it handles unexpected or malicious data. Previously, OSS-Fuzz was primarily used for fuzz-testing C and C++ applications, but now, with the integration of Jazzer, Java and other JVM-based languages can benefit from the same continuous fuzzing capabilities. This integration leverages LLVM’s libFuzzer, an in-process fuzzing engine that allows the same coverage-guided fuzzing approach used for C/C++ code to be applied to JVM languages.
Jazzer, developed by Code Intelligence, facilitates fuzz testing for JVM languages by providing code coverage feedback based on JVM bytecode. This process integrates with libFuzzer to provide features like fuzzing data generation with the FuzzedDataProvider, which allows testing of code that doesn’t directly accept raw byte arrays. Additionally, Jazzer supports the evaluation of code coverage via 8-bit edge counters, the minimization of inputs that lead to crashes, and value profiling, all of which help improve the efficiency of the fuzzing process.
With this new support for JVM languages, OSS-Fuzz aims to make it easier for developers to detect potential vulnerabilities in their Java-based applications and libraries. By extending fuzz testing to a wider variety of programming environments, Google hopes to enhance software security and reliability across more codebases, providing the same robust and automated testing that has helped secure open-source software in the past.