June 7, 2023


Built General Tough

Atheris, Google’s secret weapon for tracking down bugs in Python code

Atheris, Google's secret weapon for tracking down bugs in Python code

With Atheris, the Google teams have just developed a new utility based on automated fuzzing in order to track down all security flaws or vulnerabilities in Python code, before they are exploited. This new tool should allow developers to perfect the Python programming language on which the American giant relies a lot.

This is based on fuzzing, a technique that works by overloading a software application with large amounts of random data and analyzing its output for anomalies and crashes to give developers the opportunity to find clues about the presence and location of any flaws in the code of this application. Over the years, Google security researchers have been among the biggest proponents of using fuzzing tools to uncover not only trivial bugs, but also dangerous vulnerabilities potentially exploitable by cyber attackers.

Since 2013, Google security researchers have created and then uploaded several jamming tools, including OSS-Fuzz, Syzkaller, ClusterFuzz, Fuzzilli, and BrokenType. But all these tools had until then been created only to discover vulnerabilities in C or C ++ applications.

A widely available tool

Atheris therefore happens to be Google’s answer to the growing popularity of the Python programming language, now ranked 3e in the TIOBE index of November 2020, which ranks the most popular programming languages ​​in the world. Developed internally at Google during a hackaton last October, Atheris supports Python fuzzing code written in Python 2.7 and Python 3.3+, but also native extensions created with CPython.

Google management says, however, that Atheris works best with code in Python 3.8 and higher, where new features added to the Python programming language may help Atheris find even more vulnerabilities than in code written in older Python. Note that the Atheris code is already available on GitHub, and the fuzzer is also available on PyPI, the Python package repository.

And it’s not over. The American giant indicates that it plans to add support for Atheris’ fuzz testing on OSS-Fuzz, a hosted platform that allows developers to fuzz open source projects for security vulnerabilities. While this platform until now only supported fuzzing for C and C ++ languages, it now looks at a larger panel that includes Python and has found thousands of flaws over the years. As of June 2020, OSS-Fuzz had found over 20,000 bugs in 300 open source projects.

Source: ZDNet.com