Microsoft Launches Cloud Fuzzing Service
Written by Kay Ewbank   
Friday, 07 October 2016

Microsoft has announced, Project Springfield, a cloud-based service that you can use to test binaries for security weaknesses before you deploy them.

The announcement was made at Microsoft's Ignite conference in Atlanta. Project Springfield is a fuzz testing service that uses whitebox fuzzing to test for software bugs that could be used as a weak point by attackers.

Fuzz testing works by sending random, unexpected inputs to software to find what makes it crash, thereby signalling a security vulnerability.  White box fuzz testing is a refinement of fuzz testing that uses artificial intelligence to create a series of “what if” questions that can be used to work out what might trigger a crash. Every time the tests are run, data is gathered and used to refine the test to concentrate on critical areas. 

Microsoft uses fuzz testing internally and says it runs the largest fuzzing lab in the world. Project Springfield includes Microsoft's Z3 solver.  Z3 is a Satisfiability Modulo Theories (SMT) solver that integrates several decision procedures. It is used in several program analysis, verification, and test case generation projects at Microsoft and was awarded the 2015 ACM SIGPLAN Programming Languages Software Award, which is given for software systems that have had a lasting influence, reflected in contributions to concepts, in commercial acceptance, or both.

Microsoft has been using a component of Project Springfield called SAGE internally since the mid 2000s to test products including Windows and Office prior to release. Project Springfield has also been tested by a small number of customers and developers working on software on a smaller scale than Windows and Office.

SAGE has been used since 2007 to test products including Windows 7 prior to release. When used on Windows 7, SAGE unearthed a number of additional vulnerabilities, eventually accounting for one-third of all the bugs this kind of security testing.

David Molnar, the Microsoft researcher who leads Project Springfield, said fuzz testing is ideal for software that regularly incorporate inputs such as documents, images, videos or other pieces of information that may not be trustworthy.
 
Project Springfield is available in the form of a Web dashboard hosted in the Azure cloud. You log into a secure web portal, and get a virtual machine onto which you install the binaries of the software you want to test, along with a "test driver" program that runs the scenario to be tested, and a set of sample input files called "seed files" to use as a starting point for fuzzing.
 
Project Springfield then runs fuzz tests over a period of time, and reports security vulnerabilities in real time on the secure web portal. You can then download actionable test cases to reproduce the issue.
 

springfield
 

More Information

Project Springfield site

SAGE Explained

Related Articles

Z3 Theorem Prover Wins Award

Microsoft Bug Bounty Extends Scope

Microsoft Doubles Bounty Payouts

Microsoft Offers $100,000 For Novel Exploits

New Online Services Bug Bounty Program 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


Stack Overflow On Google Cloud
06/03/2024

Stack Overflow and Google Cloud have announced a partnership to deliver new gen AI-powered capabilities to developers through the Stack Overflow platform, Google Cloud Console, and Gemini for Google C [ ... ]



Microsoft Introduces SharePoint Embedded VSCode Extension
22/02/2024

Microsoft has released a preview version of a SharePoint Embedded Visual Studio Code extension, describing it as a new tool for developers who want to get started with SharePoint Embedded application  [ ... ]


More News

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 30 November 2016 )