Project Springfield: Cloud-based fuzz testing for uncovering million-dollar bugs
This Moday Microsoft debuted Project Springfield, a cloud-based fuzz testing (aka fuzzing) service that the company has been working on for a quite a while.
David Molnar and Patrice Godefroid, two of the key researchers behind Project Springfield, have been claiming since 2010 that fuzzing in the cloud will revolutionize security testing, and now they have provided the means to prove that assertion.
What is fuzz testing?
Fuzz testing is a method for discovering bugs and security vulnerabilities in software by hitting it with random and unexpected inputs. Some of the inputs thrown at the software will cause crashes, thus revealing the existence of a bug and pointing programmers in the right direction to fix it.
Fuzz testing improves software security because it often finds bugs that human testers fail to find.
In fact, Microsoft has been using SAGE – a fuzzing technology they developed and employed internally, and a key component of Project Springfield – to test Windows 7 before it was released. Through it, they found one third of the “million dollar” security bugs affecting the OS.
About Project Springfield
“Project Springfield works on binaries, with no source code or private symbols needed,” Microsoft explains. “You need to be able to install software you deploy on a virtual machine that runs in Azure, provide a “test driver” that exercises your software, and a set of sample inputs. Project Springfield uses these to create many test cases for exercising your program.”
The service performs (among other things) white-box fuzz testing with the help of artificial intelligence. This way, the fuzzing is more focused and, they claim, definitely more effective.
Project Springfield incorporates SAGE, but also other fuzz testing tools. Users interact with the service through a web portal.
“Project Springfield reports security vulnerabilities in real time on the secure web portal. Customers can download actionable test cases to reproduce the issue,” they explain. “Customer can prioritize and fix bugs, then re-test to ensure the effectiveness of the fix.”
Project Springfield is currently being used by a number of enterprise customers, and others are welcome to sign up for a free evaluation.