News

Microsoft's Security Group Open Sources Fuzzing Framework for Azure

• By John K. Waters
• September 22, 2020

Microsoft is enabling continuous developer-driven "fuzzing" with a newly open sourced tool the company has been using in-house for years. Project OneFuzz, an extensible fuzz testing framework for Azure, is the testing framework used by Microsoft Edge, Windows, and teams across the organization, the company says.

Microsoft describes OneFuzz as a self-hosted Fuzzing-As-A-Service platform. It's designed to enable continuous, developer-driven fuzzing to proactively harden software prior to release. "With a single command, which can be baked into CI/CD [systems], developers can launch fuzz jobs from a few virtual machines to thousands of cores," Microsoft says.

Fuzz testing, or "fuzzing," is an automated quality assurance technique used to discover bugs and security vulnerabilities in software and systems. The technique involves providing the target program or system with invalid, unexpected, and/or random data, often in massive amounts, with the aim of causing a crash.

In a blog post, Mike Walker, senior director of special projects management in Microsoft's security group, and Justin Campbell, principal security software engineering lead in that group, characterized fuzz testing as "the gold standard for finding and removing costly, exploitable security flaws."

"Traditionally, fuzz testing has been a double-edged sword for developers," they added, "mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work."

The list of features and capabilities in this release of Project OneFuzz includes:

• Composable fuzzing workflows: Open source allows users to onboard their own "fuzzers," swap instrumentation, and manage seed inputs.
• Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
• Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
• On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
• Observable and Debug-able: Transparent design allows introspection into every stage.
• Fuzz on Windows and Linux OSes: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor.
• Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages

"Microsoft's goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment," the two bloggers wrote. "The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker's job more difficult."

OneFuzz is available now on GitHub under an MIT license. Microsoft says it welcomes contributors to the open-source project, but adds that most contributions will require users to agree to a Contributor License Agreement (CLA).