Google aims to improve security of browser engines, third-party Android devices and apps on Google Play

Google has announced two new security initiatives: one is aimed at helping bug hunters improve the security of various browsers’ JavaScript engines, the other at helping Android OEMs improve the security of the mobile devices they ship.

Google new security initiatives

Fuzzing JavaScript engines

“JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild zero-day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome. Unfortunately, fuzzing JavaScript engines to uncover these vulnerabilities is generally quite expensive due to their high complexity and relatively slow processing of input,” noted Project Zero’s Samuel Groß.

Researchers must also bear the costs of fuzzing in advance, even though there’s a possibility their approach may not discover any bugs or if it does, that they’ll receive a reward for finding them. This fact might deter many of them and, consequently, bugs stay unfixed and exploitable for longer.

That’s why Google is offering $5,000 research grants in the form of Google Compute Engine credits.

Interested researchers must submit a proposal with details about their intended approach and the awarded credits must be used for fuzzing JavaScript engines with the approach described in the proposal.

They can fuzz the JavaScriptCore (Safari), v8 (Chrome, Edge), or Spidermonkey (Firefox), and must report the found vulnerabilities to the affected vendor. They must also publicly report on their findings within 6 months of the grant getting awarded.

Helping third parties in the Android ecosystem

The company is also set on improving the security of the Android ecosystem, and to that point it’s launching the Android Partner Vulnerability Initiative (APVI).

“Until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP (Android Open Source Project) code that are unique to a much smaller set of specific Android OEMs,” the company explained.

“The APVI […] covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins).”

Already discovered issues and those yet to be unearthed have been/will be shared through this bug tracker.

Simultaneously, the company has is looking for a Security Engineering Manager in Android Security that will, among other things, lead a team that “will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers.”

Microsoft open-sources tool that enables continuous developer-driven fuzzing

Microsoft has open-sourced OneFuzz, its own internal continuous developer-driven fuzzing platform, allowing developers around the world to receive fuzz testing results directly from their build system.

continuous developer-driven fuzzing

Fuzzing is an automated software testing technique that involves entering random, unexpected, malformed and/or invalid data into a computer program. The goal is to reveal exceptions (e.g., crashes, memory leaks, etc.) and unexpected behaviors that could affect the program’s security and performance.

Azure-powered continuous developer-driven fuzzing

Project OneFuzz is an extensible, self-hosted Fuzzing-As-A-Service platform for Azure that aggregates several existing fuzzers and (through automation) bakes in crash detection, coverage tracking and input harnessing.

The tool is used by Microsoft’s internal teams to strengthen the security development of Windows, Microsoft Edge, and other software products.

“Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from,” Microsoft Security principal security software engineering lead Justin Campbell and senior director for special projects management Mike Walker noted.

“That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.”

The tool’s capabilities

As the two explained, OneFuzz will allow developers to launch fuzz jobs – ranging in size from a few virtual machines to thousands of cores – with a single command line baked into the build system.

The tool’s features include:

  • Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
  • Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
  • Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
  • On-demand live-debugging of found crashes: It lets users summon a live debugging session on-demand or from their build system.
  • Transparent design that allows introspection into every stage.
  • Detailed telemetry: Easy monitoring of all fuzzing
  • Multi-platform by design: Fuzzing can be performed on Windows and varios Linux OSes, by using one’s own OS build, kernel, or nested hypervisor.
  • Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages
  • Code Coverage KPIs: Users can monitor their progress and motivate testing using code coverage as key metric.

OneFuzz will be available to the rest of the world in a few days (via GitHub). Microsoft will continue to update and expand it with contributions from the company’s various teams, and welcomes contributions and suggestions from the wider open-source community.

New fuzzing tool for USB drivers uncovers bugs in Linux, macOS, Windows

With a new fuzzing tool created specifically for testing the security of USB drivers, researchers have discovered more than two dozen vulnerabilities in a variety of operating systems.

“USBFuzz discovered a total of 26 new bugs, including 16 memory bugs of high security impact in various Linux subsystems (USB core, USB sound, and network), one bug in FreeBSD, three in macOS (two resulting in an unplanned reboot and one freezing the system), and four in Windows 8 and Windows 10 (resulting in Blue Screens of Death), and one bug in the Linux USB host controller driver and another one in a USB camera driver,” Hui Peng and Mathias Payer explained.

11 of the Linux bugs have already received a patch.

Making fuzzing USB drivers easier

USBFuzz, which Peng and Payer plan to open source on GitHub in the near future, is a modular testing framework that can be used for fuzzing USB drivers in different OS kernels.

fuzzing USB drivers

Fuzzing (or fuzz testing) involves the automated inputing of invalid, unexpected, or random data into software (in this case drivers), looking how the program behaves – whether it crashes, shows memory leaks, etc. – and checking whether these behaviors can be exploited for malicious ends.

“Fuzzing device drivers is challenging due to the difficulty in providing random input from a device. Dedicated programmable hardware devices are expensive and do not scale as one device can only be used to fuzz one target. More importantly, it is challenging to automate fuzzing on real hardware due to the required physical actions (attaching and detaching the device) for each test,” the researchers explained the motivation for creating USB-Fuzz.

They wanted to make the fuzing device cost-effective, hardware-independent and able to work on different OSes and platforms.

“At its core, USB-Fuzz uses a software-emulated USB device to provide random device data to drivers (when they perform IO operations). As the emulated USB device works at the device level, porting it to other platforms is straight-forward.”

USB-Fuzz works on Linux, FreeBSD, macOS, and Windows, and can be used to perform dumb fuzzing, focused fuzzing, and coverage-guided fuzzing (where coverage collection is supported).