An Empirical Study of OSS-Fuzz Bugs

TL;DR

This empirical study analyzes nearly 24,000 bugs from OSS-Fuzz, revealing its effectiveness in bug detection, common issues faced, and bug lifecycle patterns, providing insights for future fuzzing improvements.

Contribution

It is the first comprehensive empirical analysis of OSS-Fuzz bugs, highlighting bug characteristics, lifecycle, and campaign dynamics in open source fuzzing.

Findings

OSS-Fuzz effectively finds bugs quickly and developers patch them rapidly.

Flaky bugs, timeouts, and memory errors are common issues.

Fuzzing campaigns show punctuated bug discovery, with unexpected spikes.

Abstract

Continuous fuzzing is an increasingly popular technique for automated quality and security assurance. Google maintains OSS-Fuzz: a continuous fuzzing service for open source software. We conduct the first empirical study of OSS-Fuzz, analyzing 23,907 bugs found in 316 projects. We examine the characteristics of fuzzer-found faults, the lifecycles of such faults, and the evolution of fuzzing campaigns over time. We find that OSS-Fuzz is often effective at quickly finding bugs, and developers are often quick to patch them. However, flaky bugs, timeouts, and out of memory errors are problematic, people rarely file CVEs for security vulnerabilities, and fuzzing campaigns often exhibit punctuated equilibria, where developers might be surprised by large spikes in bugs found. Our findings have implications on future fuzzing research and practice.