DevSecOps is the New Trend at Microsoft: Project OneFuzz

Sept. 27, 2020, 6:14 p.m.

TL;DR

The replacement of Microsoft Security Risk Detection for code security testing is on track and it called Project OneFuzz: an extensible fuzz testing framework for Azure.

Project OneFuzz is available on GitHub under an MIT license. (Photo by Tadas Sar on Unsplash)

Key Facts

1
Microsoft announced that they will replace the current software testing experience known as Microsoft Protection and Risk Identification with an automated, open source method: Project OneFuzz.
2
Project OneFuzz is a self-hosted Fuzzing-As-A-Service platform, it's available as an open source tool on Github.
3
This testing framework was already used internally by Microsoft Edge, Windows, and teams across Microsoft.
4
Microsoft notes, "recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code".
5
New features can now be baked into continuous build systems through crash detection, coverage tracking and input harnessing. These advances enables developers to create unit test binaries with a modern fuzzing lab compiled in highly reliable test invocation, input generation, coverage, and error detection in a single executable.
6
Microsoft has also added experimental support for these features to Visual Studio so that test binaries can be built by a compiler, helping developers bypass the need to integrate them into a continuous integration (CI) or continuous development (CD) pipeline.

Details

Wikipedia defines Fuzzing or fuzz testing as an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.

Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input.

An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.

According to Microsoft, Project OneFuzz enables:

Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
Observable and Debug-able: Transparent design allows introspection into every stage.
Fuzz on Windows and Linux OSes: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor.
Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages

Fuzz testing is a highly effective method for increasing the security and reliability of native code—it is the gold standard for finding and removing costly, exploitable security flaws. Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.
Justin Campbell
Principal Security Software Engineering Lead, Microsoft Security