|Microsoft Launches Cloud Fuzzing Service|
|Written by Kay Ewbank|
|Friday, 07 October 2016|
Microsoft has announced, Project Springfield, a cloud-based service that you can use to test binaries for security weaknesses before you deploy them.
The announcement was made at Microsoft's Ignite conference in Atlanta. Project Springfield is a fuzz testing service that uses whitebox fuzzing to test for software bugs that could be used as a weak point by attackers.
Fuzz testing works by sending random, unexpected inputs to software to find what makes it crash, thereby signalling a security vulnerability. White box fuzz testing is a refinement of fuzz testing that uses artificial intelligence to create a series of “what if” questions that can be used to work out what might trigger a crash. Every time the tests are run, data is gathered and used to refine the test to concentrate on critical areas.
Microsoft uses fuzz testing internally and says it runs the largest fuzzing lab in the world. Project Springfield includes Microsoft's Z3 solver. Z3 is a Satisfiability Modulo Theories (SMT) solver that integrates several decision procedures. It is used in several program analysis, verification, and test case generation projects at Microsoft and was awarded the 2015 ACM SIGPLAN Programming Languages Software Award, which is given for software systems that have had a lasting influence, reflected in contributions to concepts, in commercial acceptance, or both.
Microsoft has been using a component of Project Springfield called SAGE internally since the mid 2000s to test products including Windows and Office prior to release. Project Springfield has also been tested by a small number of customers and developers working on software on a smaller scale than Windows and Office.
SAGE has been used since 2007 to test products including Windows 7 prior to release. When used on Windows 7, SAGE unearthed a number of additional vulnerabilities, eventually accounting for one-third of all the bugs this kind of security testing.David Molnar, the Microsoft researcher who leads Project Springfield, said fuzz testing is ideal for software that regularly incorporate inputs such as documents, images, videos or other pieces of information that may not be trustworthy.
Project Springfield then runs fuzz tests over a period of time, and reports security vulnerabilities in real time on the secure web portal. You can then download actionable test cases to reproduce the issue.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 30 November 2016 )|