Mozilla and BlackBerry Collaborate on Fuzzing
Mozilla and BlackBerry’s work on security research techniques are in the area of fault injection. Fault injection (also known as “fuzzing”) is a method of automated security testing that is used to identify potential security concerns that can be fixed before users are at risk. Fault injection is a testing technique where specially designed software is created to inject a variety of unexpected or malformed data into a specific application, program or area of code. The goal is to uncover areas where the software does not properly handle the malformed data. Through fault injection it is possible to identify potential security weaknesses that can be proactively addressed before there is ever a threat to users.
The specific area of joint research is Peach v2, an open source fuzzing framework and will also include joint work on other fuzzing software. Mozilla and BlackBerry are working together to advance the Peach fuzzing software for testing Web browsers. We will also collaborate on fuzzing techniques and approaches to jointly raise the security protections provided to our users.
Mozilla has successfully used Peach to perform fuzz testing against HTML5 features such as: image formats, audio/video formats, fonts, multimedia APIs like WebGL and WebAudio and most recently protocols used in WebRTC. Through our testing, we’ve proactively identified issues that can be fixed before there was any risk to our users. This testing has proved to be very effective and is helping secure Firefox and Firefox OS users.
BlackBerry has long relied on large-scale automated testing to identify security issues across its platform. The collaboration with Mozilla plugs directly into BlackBerry’s existing security processes and infrastructure. BlackBerry regularly uses third-party fuzzers, in addition to its own proprietary fuzzing tools, static analysis and vulnerability research, in order to identify and address potential security concerns across its portfolio of products and services.
Adrian Stone, Director of BlackBerry Security Response and Threat Analysis, shared that he is excited about the work Mozilla and BlackBerry researchers are conducting and the potential benefits for customers.
Stone noted, “Security is an industry-wide challenge that cannot be solved in a vacuum, and that is why BlackBerry and Mozilla security researchers are working together to develop new and innovative tools for detecting browser threats before they can affect both mobile and desktop customers. Through this collaboration, BlackBerry and Mozilla are working together towards the common goal of advancing security protections for customers as well as improving the threat landscape overall.”
Mozilla and BlackBerry have worked together on fuzzing activities in the past and both recognize the importance of continued automated security testing techniques in order to protect users on the open Web.