Microsoft Launches Cloud Fuzzing Service
Written by Kay Ewbank   
Friday, 07 October 2016

Microsoft has announced, Project Springfield, a cloud-based service that you can use to test binaries for security weaknesses before you deploy them.

The announcement was made at Microsoft's Ignite conference in Atlanta. Project Springfield is a fuzz testing service that uses whitebox fuzzing to test for software bugs that could be used as a weak point by attackers.

Fuzz testing works by sending random, unexpected inputs to software to find what makes it crash, thereby signalling a security vulnerability.  White box fuzz testing is a refinement of fuzz testing that uses artificial intelligence to create a series of “what if” questions that can be used to work out what might trigger a crash. Every time the tests are run, data is gathered and used to refine the test to concentrate on critical areas. 

Microsoft uses fuzz testing internally and says it runs the largest fuzzing lab in the world. Project Springfield includes Microsoft's Z3 solver.  Z3 is a Satisfiability Modulo Theories (SMT) solver that integrates several decision procedures. It is used in several program analysis, verification, and test case generation projects at Microsoft and was awarded the 2015 ACM SIGPLAN Programming Languages Software Award, which is given for software systems that have had a lasting influence, reflected in contributions to concepts, in commercial acceptance, or both.

Microsoft has been using a component of Project Springfield called SAGE internally since the mid 2000s to test products including Windows and Office prior to release. Project Springfield has also been tested by a small number of customers and developers working on software on a smaller scale than Windows and Office.

SAGE has been used since 2007 to test products including Windows 7 prior to release. When used on Windows 7, SAGE unearthed a number of additional vulnerabilities, eventually accounting for one-third of all the bugs this kind of security testing.

David Molnar, the Microsoft researcher who leads Project Springfield, said fuzz testing is ideal for software that regularly incorporate inputs such as documents, images, videos or other pieces of information that may not be trustworthy.
 
Project Springfield is available in the form of a Web dashboard hosted in the Azure cloud. You log into a secure web portal, and get a virtual machine onto which you install the binaries of the software you want to test, along with a "test driver" program that runs the scenario to be tested, and a set of sample input files called "seed files" to use as a starting point for fuzzing.
 
Project Springfield then runs fuzz tests over a period of time, and reports security vulnerabilities in real time on the secure web portal. You can then download actionable test cases to reproduce the issue.
 

springfield
 

More Information

Project Springfield site

SAGE Explained

Related Articles

Z3 Theorem Prover Wins Award

Microsoft Bug Bounty Extends Scope

Microsoft Doubles Bounty Payouts

Microsoft Offers $100,000 For Novel Exploits

New Online Services Bug Bounty Program 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

 

Banner


Learn To Develop On Android With MAD Skills
16/11/2020

Modern Android Development (MAD) Skills is a free series of videos and articles by Google that teaches the modern ways of doing development on the Android platform.



The State Of Secure Software Development - Three OpenSSF Courses
23/11/2020

The Open Source Security Foundation has recently launched three brand new and free courses on Secure Software Development, which are hosted on edX.


More News

 

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 30 November 2016 )