Google Clusterfuzz's to secure chrome, reveals the process

digitfreak 00099Devloping a secure and zippy browser can be a fuzz, that's what Google is trying to explain on their recent blog post. According to Google - there are several mechanisms in place which tests the scripts and codes which deals with end user experience more than a million times a day, which is impossible to do mannually.

Chrome's fuzzing infrastructure (affectionately named "ClusterFuzz") is built on top of a cluster of several hundred virtual machines running approximately six-thousand simultaneous Chrome instances. ClusterFuzz automatically grabs the most current Chrome LKGR (Last Known Good Revision), and hammers away at it to the tune of around fifty-million test cases a day.

There's also the challenge of efficient data storage: the crash reports may only be a few hundred kilobytes, but add them all up and you're talking about crunching through some serious data. Google tries to strip away as much as possible, obtaining only the essentially information required in the case of a crash or bug.

The advantage to building up the ClusterFuzz is that the system is also capable of detecting real time security regression issues. Over the past few months, the cluster has caught 95 unique vulnerabilities, and 44 of those were fixed before final browser releases. Google hopes to improve the system so that it catches even more regressions in the future.


Leave your comments

Post comment as a guest

0 Character restriction
Your text should be more than 5 characters
  • No comments found