Microsoft is looking to help developers continuously fuzz-test code prior to release, via the open source OneFuzz framework.
Described as a self-hosted fuzzing-as-a-service platform, OneFuzz enables developer-driven fuzzing to identify software vulnerabilites during the development process. Source code for OneFuzz is due to arrive on GitHub on September 18.
Fuzz testing is about increasing the security and reliability of native code by finding costly, exploitable security flaws. Fuzz testing involves throwing random inputs at software to find instances in which unforeseen actions could cause software to fail.
However, Microsoft noted that fuzz testing has been a double-edged sword for developers—mandated by the software development lifecycle and effective in finding actionable flaws, but difficult and expensive to implement, requiring dedicated security engineering teams to build fuzz testing capabilities and harness the results.
Enabling developers to run fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and frees security engineering teams to pursue more proactive work. The global release of OpenFuzz is intended to help developers harden the software that powers users’ daily work and personal lives, thus making an attacker’s job harder.
Executing a single command that can be baked into a CI/CD system, developers using OneFuzz can launch fuzz jobs spanning from a few virtual machines to thousands of cores. OneFuzz, which is extensible, serves as a replacement for the Microsoft Security Risk Detection software testing mechanism. OneFuzz has been used to develop the Microsoft Edge browser and Windows.
OneFuzz features and benefits:
- Composable fuzzing workflows
- Built-in ensemble fuzzing, with fuzzer teams sharing strengths and swapping inputs of interest between fuzzing technologies
- On-demand live debugging of crashes
- Programmatic triage and result deduplication
- Crash reporting notification callbacks
- Works with Windows and Linux
Microsoft cited compiler advances by Google as having transformed the security engineering tasks involved in fuzz testing native code. What was once implemented at considerable expense now can be baked into continuous build systems, the company said.