Microsoft Announces OneFuzz Framework
Written by Kay Ewbank   
Friday, 18 September 2020

Microsoft has announced Project OneFuzz framework, an open source developer tool to find and fix bugs at scale. The automated, open-source tool will replace the Microsoft Security and Risk Detection tool.

Project OneFuzz is an extensible fuzz testing framework for Azure that will be available through GitHub as an open-source tool. Microsoft developers in the Edge and Windows teams are already using the framework.


While fuzz testing is an effective method for finding and removing exploitable security flaws, it can be complicated to make use of and to extract information from. This has meant fuzz testing has been seen as requiring dedicated security engineering teams to build and operate. The aim is to let developers perform fuzz testing, so shifting the discovery of vulnerabilities to earlier in the development lifecycle.

Microsoft says that recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code. 

Experimental support for fuzz testing techniques is being added to Visual Studio, and Microsoft says once the test binaries can be built by a compiler, today’s developers are left with the challenge of building them into a CI/CD pipeline and scaling fuzzing workloads in the cloud.

Project OneFuzz supports the creation of composable fuzzing workflows that can include other fuzzers and different instrumentation. It comes with built-in ensemble fuzzing where inputs of interest can be swapped between fuzzing technologies.

OneFuzz also provides flaw cases that always reproduce errors to assist with testing, along with on-demand live-debugging of found crashes. This means developers can summon a live debugging session on-demand or from their build system. The software can be used on Windows and Linux, running on your own OS build, kernel, or nested hypervisor.


More Information

OneFuzz On GitHub

Open Source Fuzzing Session At CppCon 2020

Related Articles

Google Launches Fuzzer Benchmarking Service

Microsoft Launches Cloud Fuzzing Service

New tool detects RegEx security weakness

Tactical Pentesting With Burp Suite


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


ACM Adopts Open Access Publishing Model

ACM, the Association for Computing Machinery, the professional body for computer scientists, has relaunched Communications of the ACM, the organization’s flagship magazine, as a web-first  [ ... ]

Eclipse JKube 1.16 Goes GA

Eclipse JKube makes deploying your Java application to a Kubernetes cluster a breeze. Let's find out what's new.

More News

raspberry pi books



or email your comment to:

Last Updated ( Friday, 18 September 2020 )