Blue-teaming for Exiv2: how to squash bugs by enrolling in OSS-Fuzz

The blog post discusses the process and benefits of enrolling the Exiv2 project in Google's OSS-Fuzz, a service that continuously tests open-source software for bugs through fuzzing. The author, Kevin Backhouse, outlines the challenges and learning experiences encountered while transitioning from AFL fuzzing, which was a one-time exercise, to a continuous testing model with OSS-Fuzz. This transition involved creating a libFuzzer target to test Exiv2's non-standard command-line options and adapting the build system to OSS-Fuzz's requirements, such as managing sanitizer flags and integrating with multiple fuzzing engines. The enrollment process, though labor-intensive, resulted in the discovery of numerous bugs, improving Exiv2's security significantly. The post emphasizes the importance of a comprehensive fuzzing corpus and the use of a dictionary to enhance fuzzing effectiveness, illustrated by the example of finding a specific bug using the string "type=". The series concludes by highlighting the value of continuous fuzzing in maintaining the security of open-source projects like Exiv2.