Microsoft Launches Cloud Fuzzing Service
Written by Kay Ewbank   
Friday, 07 October 2016

Microsoft has announced, Project Springfield, a cloud-based service that you can use to test binaries for security weaknesses before you deploy them.

The announcement was made at Microsoft's Ignite conference in Atlanta. Project Springfield is a fuzz testing service that uses whitebox fuzzing to test for software bugs that could be used as a weak point by attackers.

Fuzz testing works by sending random, unexpected inputs to software to find what makes it crash, thereby signalling a security vulnerability.  White box fuzz testing is a refinement of fuzz testing that uses artificial intelligence to create a series of “what if” questions that can be used to work out what might trigger a crash. Every time the tests are run, data is gathered and used to refine the test to concentrate on critical areas. 

Microsoft uses fuzz testing internally and says it runs the largest fuzzing lab in the world. Project Springfield includes Microsoft's Z3 solver.  Z3 is a Satisfiability Modulo Theories (SMT) solver that integrates several decision procedures. It is used in several program analysis, verification, and test case generation projects at Microsoft and was awarded the 2015 ACM SIGPLAN Programming Languages Software Award, which is given for software systems that have had a lasting influence, reflected in contributions to concepts, in commercial acceptance, or both.

Microsoft has been using a component of Project Springfield called SAGE internally since the mid 2000s to test products including Windows and Office prior to release. Project Springfield has also been tested by a small number of customers and developers working on software on a smaller scale than Windows and Office.

SAGE has been used since 2007 to test products including Windows 7 prior to release. When used on Windows 7, SAGE unearthed a number of additional vulnerabilities, eventually accounting for one-third of all the bugs this kind of security testing.

David Molnar, the Microsoft researcher who leads Project Springfield, said fuzz testing is ideal for software that regularly incorporate inputs such as documents, images, videos or other pieces of information that may not be trustworthy.
 
Project Springfield is available in the form of a Web dashboard hosted in the Azure cloud. You log into a secure web portal, and get a virtual machine onto which you install the binaries of the software you want to test, along with a "test driver" program that runs the scenario to be tested, and a set of sample input files called "seed files" to use as a starting point for fuzzing.
 
Project Springfield then runs fuzz tests over a period of time, and reports security vulnerabilities in real time on the secure web portal. You can then download actionable test cases to reproduce the issue.
 

springfield
 

More Information

Project Springfield site

SAGE Explained

Related Articles

Z3 Theorem Prover Wins Award

Microsoft Bug Bounty Extends Scope

Microsoft Doubles Bounty Payouts

Microsoft Offers $100,000 For Novel Exploits

New Online Services Bug Bounty Program 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


The Feds Want Us To Move On From C/C++
13/11/2024

The clamour for safe programming languages seems to be growing and becoming official. We have known for a while that C and C++ are dangerous languages so why has it become such an issue now and is it  [ ... ]



Advent Of Code 2024 Now Underway
01/12/2024

December 1st is much anticipated among those who like programming puzzles. It is time to start solving small but tricky puzzles on the Advent of Code website with the goal of amassing 50 stars by Chri [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 30 November 2016 )