OSTIF is proud to share the results of our fuzzing audit of LLVM. The LLVM project is a compilation of modular and reusable compiler and toolchain technology. Having completed this fuzzing audit with the help of Ada Logics and the Sovereign Tech Fund, LLVM can experience a deeper and more revealing understanding of the project’s security through fuzzing.
Audit Highlights:
This audit was specifically designed to improve the fuzzing suite of LLVM, particularly by using OSS-Fuzz for continuous fuzzing. While LLVM has a considerable fuzzing suite, it previously suffered from a lack of efficiency which affects code coverage. Additionally, the OSS-Fuzz setup had not been working for over a year at the beginning of this engagement. To remedy this problem and address the noted fuzzing concerns, ADA Logics executed the following tasks in order.
- Performed LLVM OSS-Fuzz Setup, Analysis and Repair to get OSS-Fuzz working again
- Fixed Security-Flagged Issues Reported by OSS-Fuzz
- Expanded Fuzzing Coverage by:
- Expanding on existing fuzzers to cover additional code
- Developing new fuzzers that target unexplored code
- Fixing issues/fuzz blockers that break fuzzers
- Identified Areas for Improvement and Future Work
Audit Results:
- Expanded fuzzing coverage from 1.1 million to 2.4 million lines of code
- Extended existing fuzzing suite on OSS-Fuzz and developed three new fuzzers, increasing the fuzzers on OSS-Fuzz by 15
- Fixed 11 Security-Flagged Issues reported by OSS-Fuzz
- 8 were Memory Corruption Vulnerabilities
- Developed strategy for the next steps of fuzzing LLVM, with a focus on improving fuzzing efficiency
The audit not only created fuzzers and code coverage but also documentation that informs and educates maintainers on LLVM’s security limitations and needs as well as possibilities. Now, LLVM fuzzes more lines of code than any other project on OSS-Fuzz. Notably- this audit is preliminary due to the size of the project. We are hopeful that soon LLVM will gain access to further security support through OSTIF.
Security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. This audit was a part of the STF’s Bug Resilience Program, which aims to improve the security of open source infrastructure through contributions to FOSS projects, a bug and fix bounty program, and code audit program.
Thank you to the groups and individuals without whom this would not have been possible:
- the LLVM maintainers, contributors, and community members
- Ada Logics- Adam Korczynski and David Korczynski
- The Sovereign Tech Fund- Tara Tarakiyee, Adriana Groh, Fiona Krakenbürger, Paul Sharratt, and Powen Shiah
You can read the Audit Report HERE
You can read Ada Logics’ Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].