Microsoft’s Project Springfield Allows Developers to Fuzz Code Before Hackers Do
All software has bugs. Bugs lead to vulnerabilities which then lead to breaches. Fewer bugs will inevitably lead to fewer breaches for users, and fewer costly patching exercises for software vendors. It is a no-brainer to eliminate as many bugs as possible during development; but that in itself is difficult and costly.
On Monday at its Ignite Atlanta conference, Microsoft announced a new Azure-based software fuzz testing service, based around its own internal Scalable, Automated, Guided Execution (SAGE) testing tool. The new service is labeled Project Springfield.
While fuzz testing traditionally generates and tests random inputs against software, Springfield uses artificial intelligence (AI) to focus testing around potential problem areas in what it calls ‘white box fuzz testing’. “It uses artificial intelligence to ask a series of ‘what if’ questions and make more sophisticated decisions about what might trigger a crash and signal a security concern,” said Microsoft in a blog post Monday. “Each time it runs, it gathers data to hone in on the areas that are most critical. This more focused, intelligent approach makes it more likely that Project Springfield will find vulnerabilities other fuzzing tools might miss.”
Microsoft senior researcher David Molnar compared the effect to examining a road crash. When all you see is the crash, you don’t know why the crash happened. Regular fuzzers might show you the software crash, but the AI element of Springfield allows it to discover how the software actually works before the crash.
Prior to announcement, Project Springfield was tested by a small number of Microsoft customers. Traditional fuzz testing always has the potential to miss the bugs. “I could spend four or five days writing test definitions for our current fuzzing platform and even when I fuzzed our product, I got no results,” says Zdenek Ryska, senior software developer at OSIsoft. But things changed with Springfield.
“Our other fuzzing platform was only as effective as you could write the test definitions,” he continued. “It could take months to fine tune them and you still have no idea how much code coverage you are getting. With Springfield, in two days we had reports showing results, while with the other tool, we ran it for three weeks and got nothing. The confidence that we will find a bug, if it’s there, is huge.”
Springfield is a cloud service. The customer uses a virtual machine on Azure, and works on binaries. This makes it suitable for testing in-house software, software acquired through M&A, and even third-party software being considered for purchase.
The binaries are uploaded and installed on the VM together with a test driver program that runs the scenario being tested, and a set of sample input files, the seed files, that will be used as a starting point for fuzzing. When the testing starts, any detected security vulnerabilities are reported back to the customer in real time via a secure web portal.
Fuzzing as a Service offers the same advantages as all other cloud services — access to computing power on demand. “Because the service runs in Azure,” commented Bryan Owen, cyber security manager at OSIsoft, “we don’t have to budget for computing resources or staff resources to get the job done.”
Springfield is not yet available for general use. It currently supports Windows programs and will include Linux in the future. Microsoft is now looking for customers to test the service by using it free of charge; and for consulting company partners to build integrations to automate the fuzzing process.
