Microsoft Launches Cloud Fuzzing Service
Written by Kay Ewbank   
Friday, 07 October 2016

Microsoft has announced, Project Springfield, a cloud-based service that you can use to test binaries for security weaknesses before you deploy them.

The announcement was made at Microsoft's Ignite conference in Atlanta. Project Springfield is a fuzz testing service that uses whitebox fuzzing to test for software bugs that could be used as a weak point by attackers.

Fuzz testing works by sending random, unexpected inputs to software to find what makes it crash, thereby signalling a security vulnerability.  White box fuzz testing is a refinement of fuzz testing that uses artificial intelligence to create a series of “what if” questions that can be used to work out what might trigger a crash. Every time the tests are run, data is gathered and used to refine the test to concentrate on critical areas. 

Microsoft uses fuzz testing internally and says it runs the largest fuzzing lab in the world. Project Springfield includes Microsoft's Z3 solver.  Z3 is a Satisfiability Modulo Theories (SMT) solver that integrates several decision procedures. It is used in several program analysis, verification, and test case generation projects at Microsoft and was awarded the 2015 ACM SIGPLAN Programming Languages Software Award, which is given for software systems that have had a lasting influence, reflected in contributions to concepts, in commercial acceptance, or both.

Microsoft has been using a component of Project Springfield called SAGE internally since the mid 2000s to test products including Windows and Office prior to release. Project Springfield has also been tested by a small number of customers and developers working on software on a smaller scale than Windows and Office.

SAGE has been used since 2007 to test products including Windows 7 prior to release. When used on Windows 7, SAGE unearthed a number of additional vulnerabilities, eventually accounting for one-third of all the bugs this kind of security testing.

David Molnar, the Microsoft researcher who leads Project Springfield, said fuzz testing is ideal for software that regularly incorporate inputs such as documents, images, videos or other pieces of information that may not be trustworthy.
Project Springfield is available in the form of a Web dashboard hosted in the Azure cloud. You log into a secure web portal, and get a virtual machine onto which you install the binaries of the software you want to test, along with a "test driver" program that runs the scenario to be tested, and a set of sample input files called "seed files" to use as a starting point for fuzzing.
Project Springfield then runs fuzz tests over a period of time, and reports security vulnerabilities in real time on the secure web portal. You can then download actionable test cases to reproduce the issue.


More Information

Project Springfield site

SAGE Explained

Related Articles

Z3 Theorem Prover Wins Award

Microsoft Bug Bounty Extends Scope

Microsoft Doubles Bounty Payouts

Microsoft Offers $100,000 For Novel Exploits

New Online Services Bug Bounty Program 


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



Amazon Updates Q Family And Previews App Studio

Amazon made multiple announcements at its AWS Summit in New York, including a preview of AWS App Studio, the addition of Q Developer to SageMaker Studio, and an Amazon Q Apps API.

Look Once to Hear - A Spy's Dream Come True

Deep learning has triumphed again. You can don a pair of headphones, look at a person talking and from then on the system will track the person so you can hear them as they move away or become swamped [ ... ]

More News


kotlin book



or email your comment to:

Last Updated ( Wednesday, 30 November 2016 )