The complexity of modern applications makes finding security issues and other flaws tricky even for large tech firms with plenty of engineering know-how. To simplify this task for its developers, Google LLC has created ClusterFuzz, an automated bug detection tool that it open-sourced on Thursday.

The tool uses a method known as fuzz testing to uncover software flaws. The basic principle is to throw massive amounts of randomly generated data — the “fuzz” — at an application in a deliberate effort to cause errors. Once the test is done, developers can study these errors to find issues in their code.

Fuzz testing is particularly handy for identifying memory corruption bugs and certain other flaws with the potential to pose security risks. The method lends itself to, among other things, determining if certain input might cause an application to overwrite something it’s not supposed to. This kind of behavior can be exploited by hackers to inject malicious code into a system.

Fuzz tests usually have to be performed on a large scale to produce enough randomly generated input to trigger errors. According to Google, ClusterFuzz “provides end-to-end automation” to simplify the execution of such large-scale tests.

The tool can carry out fuzz tests according to developers’ specifications, grouping together examples of unwanted behavior that are caused by the same error to simplify diagnosis and provide pointers on the root cause of the error. It also generates test statistics in the process to provide insight into bug detection efficiency.

After developers release a fix for an issue, they can use ClusterFuzz to make sure that the patch works as intended. The tool runs follow-up tests to ensure that the bug has indeed been addressed and automatically marks the problem as fixed after a certain amount of time. According to Google, ClusterFuzz enables software teams to remedy bugs within hours of their introduction into an application.

The search giant uses the tool internally to find issues in Chrome. Google claims that ClusterFuzz has helped uncover 16,000 software bugs in the browser, as well as 11,000 more for external open-source projects that it supports.

ClusterFuzz is the latest in a series of security tools that the company has released over the past week. Earlier, the company debuted a processor-efficient encryption technology for mobile devices and launched a Chrome extension that informs users when one of their online accounts is compromised in a data breach.

Photo: Google