Connect with us

Hi, what are you looking for?



Microsoft Unveils Cloud-based Fuzz Testing Service

Microsoft’s Project Springfield Allows Developers to Fuzz Code Before Hackers Do

Microsoft’s Project Springfield Allows Developers to Fuzz Code Before Hackers Do

All software has bugs. Bugs lead to vulnerabilities which then lead to breaches. Fewer bugs will inevitably lead to fewer breaches for users, and fewer costly patching exercises for software vendors. It is a no-brainer to eliminate as many bugs as possible during development; but that in itself is difficult and costly.

On Monday at its Ignite Atlanta conference, Microsoft announced a new Azure-based software fuzz testing service, based around its own internal Scalable, Automated, Guided Execution (SAGE) testing tool. The new service is labeled Project Springfield.

While fuzz testing traditionally generates and tests random inputs against software, Springfield uses artificial intelligence (AI) to focus testing around potential problem areas in what it calls ‘white box fuzz testing’. “It uses artificial intelligence to ask a series of ‘what if’ questions and make more sophisticated decisions about what might trigger a crash and signal a security concern,” said Microsoft in a blog post Monday. “Each time it runs, it gathers data to hone in on the areas that are most critical. This more focused, intelligent approach makes it more likely that Project Springfield will find vulnerabilities other fuzzing tools might miss.”

Microsoft senior researcher David Molnar compared the effect to examining a road crash. When all you see is the crash, you don’t know why the crash happened. Regular fuzzers might show you the software crash, but the AI element of Springfield allows it to discover how the software actually works before the crash.

Prior to announcement, Project Springfield was tested by a small number of Microsoft customers. Traditional fuzz testing always has the potential to miss the bugs. “I could spend four or five days writing test definitions for our current fuzzing platform and even when I fuzzed our product, I got no results,” says Zdenek Ryska, senior software developer at OSIsoft. But things changed with Springfield. 

“Our other fuzzing platform was only as effective as you could write the test definitions,” he continued. “It could take months to fine tune them and you still have no idea how much code coverage you are getting. With Springfield, in two days we had reports showing results, while with the other tool, we ran it for three weeks and got nothing. The confidence that we will find a bug, if it’s there, is huge.”

Advertisement. Scroll to continue reading.

Springfield is a cloud service. The customer uses a virtual machine on Azure, and works on binaries. This makes it suitable for testing in-house software, software acquired through M&A, and even third-party software being considered for purchase.

The binaries are uploaded and installed on the VM together with a test driver program that runs the scenario being tested, and a set of sample input files, the seed files, that will be used as a starting point for fuzzing. When the testing starts, any detected security vulnerabilities are reported back to the customer in real time via a secure web portal.

Fuzzing as a Service offers the same advantages as all other cloud services — access to computing power on demand. “Because the service runs in Azure,” commented Bryan Owen, cyber security manager at OSIsoft, “we don’t have to budget for computing resources or staff resources to get the job done.”

Springfield is not yet available for general use. It currently supports Windows programs and will include Linux in the future. Microsoft is now looking for customers to test the service by using it free of charge; and for consulting company partners to build integrations to automate the fuzzing process.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.