ClusterFuzz: Fuzzing at Google Scale

Conference:  BlackHat EU 2019



The presentation discusses the importance of fuzzing in software development and how to integrate it into the development process.
  • Fuzzing is an important tool for catching bugs and vulnerabilities in software
  • Developers should be encouraged to write fuzzers and make it a part of the development process
  • Builds should be compiled with instrumentation such as address sanitizer and memory sanitizer
  • Optimization levels should be balanced for speed and bug-catching
  • Continuous and automatic building infrastructure should be set up and stored in an easily accessible location
The speaker mentions a project where academics are invited to add their fuzzy engine work to an evaluation service to determine which techniques are useful in the real world.


Fuzzing is an effective way of finding security vulnerabilities, but it does not scale well for a defender trying to protect a complex software with several third-party dependencies. There are numerous daunting challenges that come into play which include writing the fuzz targets manually, determining tools and technologies to integrate with, managing continuous fuzzing of these targets at scale, precise crash deduplication, and finally getting the vulnerabilities fixed. This talk is about how we overcame these challenges to operate the largest publicly known fuzzing infrastructure, running over 25,000 cores, 2,500 targets and find over 8,000 security vulnerabilities in several Google products and 200 open source projects (as part of the free OSS-Fuzz service). We will dive deeper into how our infrastructure ClusterFuzz completely automates the entire fuzzing lifecycle and how we scale the process of writing fuzz targets into developer workflows. Our experience highlights that these methodologies scale well for both large projects (like Chrome) and small projects (like openssl, libxml, and many other OSS-Fuzz projects).