Open Source Technology Improvement Fund (OSTIF) is thrilled to announce the results of security improvements via improved fuzzing capabilities on the Liblouis project by ADA Logics! Liblouis is a braille translator with expansive capabilities that runs on open source code. In 2021, the project onboarded to OSS-Fuzz to perform ongoing security testing, but the code coverage was initially low. OSTIF and ADA Logics saw an opportunity to improve a project centered around accessibility, and armed with the knowledge and ability to contribute impactful security work to Liblouis, the project moved ahead.
David and Adam Korczynski of ADA Logics contributed two fuzzers and a fuzzing dictionary to the project. First of the two fuzzers addressed the input translation, and this fuzzers ability to work across diverse input is pivotal. The second fuzzer acts similarly to the first, just that it executes back translation instead of the forward translation of the other fuzzer. The dictionary, which is for both new fuzzers, captures all of the Opcode names used for translation table construction. Just the introduction of this dictionary caused a 45% increase in code coverage the day it was implemented. In total, code coverage went from around 20% to just below 80%; with static reachability peaking at 93%, an increase of 16% from the start of engagement.
The data, found via the ADA Logics link below, was generated and analyzed using the Introspector, an insightful tool for visualizing OSS Fuzz setups.
Six issues were found by these fuzzers due to improved performance and code coverage. ADA Logics expects more to come as the fuzzers continuously run, providing hardened security outcomes to protect the users of Liblouis. David and Adam included further testing area recommendations in their work for maintainers to continue improving security measures.
This work was organized, researched, and completed not for compensation, but out of love of the community and in fulfilling a mission to improve security posture for open source projects. Open source is maintained for all, and support can and should be rendered for programs that promote inclusivity and access for all.
You can read ADA Logic’s blog at: https://adalogics.com/blog/liblouis-continous-fuzzing