Microsoft’s OneFuzz
Microsoft has introduced a distinctive tool called Project OneFuzz, an extensible fuzz testing framework for Azure. Early this year, they declared that they would rebuild their existing software testing experience known as Microsoft Security and Risk Detection with an automated, open-source tool as the industry moved toward this model.
Fuzz testing is a beneficial strategy for improving the protection and dependability of native code. Microsoft said that it seeks to facilitate developers to effortlessly and continuously fuzz test their code preliminary to release. This global release of Project OneFuzz is intended to help harden the platforms and tools that power our day-to-day work and personal lives to make an attacker’s job more problematic.
Contemporary improvements in the compiler world, open-sourced in LLVM and pioneered by Google, have altered the security engineering tasks implicated in fuzz testing native code. What was previously attached—at great expense—can now be baked into continuous build systems through:
- Input harnessing once affixed via custom I/O harnesses can be baked in with libfuzzer’s LLVMFuzzerTestOneInput function prototype.
- Crash detection, once affixed via devices such as Electric Fence, can be baked in with Asan.
- Coverage tracking, once affixed via tools such as iDNA, Dynamo Rio, and Pin can be baked in with Sancov.
According to Microsoft, Project OneFuzz has already facilitated constant developer-driven fuzzing of Windows. This has enabled the corporation to proactively strengthen the Windows platform prior to shipment of the latest OS builds. Developers can initiate fuzz jobs, with a sole command line, varying in size from a few VM to thousands of cores. Project OneFuzz enables:
- Built-in ensemble fuzzing: Fuzzers work as a unit to share stability, trading inputs of interest between fuzzing technologies
- Composable fuzzing workflows: Open source enables users to onboard their own fuzzers, instrumentation, swap and manage seed inputs.
- Observable and Debug-able: Transparent layout enables reflection into every stage.
- Programmatic triage and result deduplication: It delivers different flaw cases that constantly reproduce.
Project OneFuzz is accessible now on GitHub under an MIT authorization. Microsoft will proceed to maintain and improve Project OneFuzz, delivering updates to the open-source community as they emerge.
Share issues, statements, and acknowledgements with Microsoft: fuzzing@microsoft.com
