Microsoft: Windows 10 is hardened with these fuzzing security tools – now they're open source

Microsoft's open-source Project OneFuzz automates the detection of software bugs that could be security issues.
Written by Liam Tung, Contributing Writer

Microsoft has released a new open-source security tool called Project OneFuzz, a testing framework for Azure that brings together multiple software security testing tools to automate the process of detecting crashes and bugs that could be security issues.

Google's open-source fuzzing bots have helped it detect thousands of bugs in its own software and other open-source software projects. Now Microsoft is releasing its answer to the same challenge for software developers. 

Project OneFuzz is available on GitHub under an open-source MIT license like Microsoft's other open-source projects, such as Visual Studio Code, .NET Core and the TypeScript programming language for JavaScript.

SEE: Hiring Kit: Python developer (TechRepublic Premium)

Microsoft describes Project OneFuzz as an "extensible fuzz testing framework for Azure". 

Fuzzing essentially involves throwing random code at software until it crashes, potentially revealing security issues but also performance problems. 

Google has been a major proponent of the technique, pushing coders and security researchers towards fuzzing utilities and techniques. Its open-source fuzzers include OSS-Fuzz and Cluster Fuzz. 

OSS-Fuzz is available for developers to download from GitHub and use on their own code. It's also available as a cloud service for select open-source projects. 

Microsoft previously announced that it would replace its existing software testing toolset known as Microsoft Security and Risk Detection with the automated, open-source fuzzing tool. 

The Redmond company also says it's solving a different and expensive challenge for all businesses that employ software developers, and gives credit to Google for pioneering the technology. 

OneFuzz is the same testing framework Microsoft uses to probe Edge, Windows and other products at the company. It's already helped Microsoft harden Windows 10, according to Microsoft.

"Fuzz testing is a highly effective method for increasing the security and reliability of native code – it is the gold standard for finding and removing costly, exploitable security flaws," said Microsoft Security's Justin Campbell, a principal security software engineering lead, and Mike Walker, a senior director, special projects management. 

"Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. 

"That complexity required dedicated security engineering teams to build and operate fuzz-testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work." 

As Microsoft notes, "recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code". 

SEE: Open-source security: This is why bugs in open-source software have hit a record high

These advances make it cheaper for developers to handle what was once attached and instead bake these processes into continuous build systems, according to Microsoft. This includes crash detection, which was previously attached via tools such as Electric Fence. Now they can be baked in with asan. 

It also addresses previously attached tools such as iDNA, Dynamo Rio, and Pin that are now built in with sancov.

"Input harnessing, once accomplished via custom I/O harnesses, can be baked in with libfuzzer's LLVMFuzzerTestOneInput function prototype," Campbell and Walker note. 

Microsoft has also been adding experimental support for these features to Visual Studio so that test binaries can be built by a compiler, allowing developers to avoid the need to build them into a continuous integration (CI) or continuous development (CD) pipeline. It also helps developers scale fuzzing workloads in the cloud.  

Editorial standards