I'm one of the maintainers of Jazzer ( https://github.com/CodeIntelligenceTesting/jazzer), a new open-source fuzzer for the JVM platform. Jazzer has recently been integrated into Google's OSS-Fuzz (https://google.github.io/oss-fuzz/) to allow for free continuous fuzzing of important open-source Java projects. Jazzer has already found over a hundred bugs and eight security issues in libraries such as Apache Commons, PDFBox and the OWASP json-sanitizer.
Jazzer finds unexpected exceptions and infinite loops by default, but can also be used to check domain-specific properties such as decrypt(encrypt(data)) == data. Since it tracks the coverage it achieves using instrumentation applied by a Java agent, it can synthesize interesting test data from scratch. If there is interest from your side, I could set up the Java core libraries themselves for fuzzing in OSS-Fuzz. Especially the parts that are frequently applied to untrusted input, such as java.security.* and javax.imageio.*, would benefit from fuzz tests. I have prepared basic fuzz tests for some of the classes in these packages at https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk, which has already resulted in the first bug report (JDK-8267086). All I would need from you is: * a list of email addresses to which the fuzzer findings should be sent (ideally associated with Google accounts for authentication to full reports on oss-fuzz.com), * ideas for additional fuzz tests, in particular those where there are interesting properties to verify. The technical questions about setting up the OpenJDK in OSS-Fuzz have already been resolved (see also https://github.com/google/oss-fuzz/issues/5757). If you need more information on OSS-Fuzz or fuzzing in general, I am happy to help. Fabian (@fmeum on GitHub)
