Microsoft has come up with the new cloud-based service called Project Springfield for developers which help them to test application binaries for security bugs before deployment. “Whitebox fuzzing” is being used in this service, which lets developers find software bugs that are used by hackers to exploit systems.
There are two different approaches to do fuzzing tests, one by giving random inputs given to the software to find something that breaches the code and the other one is static code analysis or “white boxing” it just looks the code and walks through it without executing it, range of inputs are given to find if any bugs are present in the software.
Some of the features in the above-mentioned approaches are used for Whitebox fuzzing. In this process, initially, the sample inputs are taken by white box tester which dynamically generates a new set of inputs to check the performance of the code by going through the process. Machine learning techniques are used; frequently system runs the code through the fuzzing sessions, adapting its approach based on what it find with the each iteration. This technique is similar to techniques which are built by the competitors in the Defense Advanced Research Projects Agency's Cyber Grand Challenge that allows automated bug detection and patching.
Microsoft’s internal Whitebox fuzzing tool called SAGE which was developed by a Microsoft Research scientist, Patrice Godefroid and his team which is the basic foundation for the new service. Initially, SAGE was used in testing Windows 7 prior to its release and for discovering bugs by fuzzing tools, in spite of being used after all other testing completion. SAGE is now the basic foundation for Project Springfield, which is lead by Godefroid. This service puts the fuzz-testing system in the Azure cloud behind a dashboard. Users can upload their code for testing along with a “test driver”-an interface for giving sample inputs to the code.
Project Springfield service works with Windows binaries and this service is available in limited preview. In the coming days, even Linux testing will be available.