Time Table

The OSS-Fuzz project, launched by Google in 2016, has discovered over 36,000 software bugs as of August 2023. This project primarily utilizes a technique called “fuzzing,” which is an automated bug detection technology. Although fuzzing is often referred to as an automatic bug detection technique, several manual tasks are required to actually perform fuzzing. These tasks include creating a harness (a program that calls the target software), generating fuzzing binaries, adjusting command-line arguments, and preparing initial seeds. Especially when fuzzing multiple different software programs, these tasks become obstacles (factors hindering automation) that prevent the entire fuzzing workflow from being fully automated. As a result, it becomes difficult to efficiently perform fuzzing across a wide variety of software.

We have developed a system called PkgFuzz, which addresses these obstacles and automates the entire fuzzing workflow. PkgFuzz monitors the build process of software packages and selects packages that can be fuzzed. At the same time, it collects the necessary information for fuzzing. In this presentation, we will introduce the fuzzing campaign called the PkgFuzz Project, which utilized PkgFuzz. In the PkgFuzz Project, we conducted a fuzzing campaign on the Debian packages of Ubuntu 23.10, which includes a wide variety of software. Without human intervention, we obtained 64,658 crashes from 265 packages. Upon further investigation, we discovered four vulnerabilities that could be exploited in attacks. We reported these vulnerabilities to the Information-Technology Promotion Agency (IPA), which resulted in the issuance of three advisories and the assignment of CVEs.