Microsoft unveils new, open source bug finding tool, Project OneFuzz

Earlier today, Microsoft updated the C++ extension for Visual Studio Code, bumping it up to version 1.0. The source-code editor is one of several Microsoft products that is available on GitHub under a standard MIT license.

Today, a new open source tool – Project OneFuzz – has been released by the tech giant under the same licensing. Coming in as a replacement for Microsoft's discontinued Security Risk Detection Service, the new platform is termed an "open source self-hosted developer fuzzing platform for Azure".

Fuzz testing is essentially the removal of exploitable security flaws through a rigorous testing process that involves flooding the program in question with huge amounts of random data. Although quite useful, it is often complicated to execute as well. Project OneFuzz attempts to make fuzz testing an easier and more continuous process by utilizing recent advancements made through the open-sourced LLVM compiler infrastructure project.

As a result of the aforementioned advancements, involved mechanisms that previously had to be attached to continuous build systems can now be directly baked into them. Crash detection, for example, can be built in through the asan tool, while coverage tracking can be baked in using the SanitizerCoverage (sancov) tool. Looking ahead, these changes enable the development of unit test binaries with a variety of fuzzing techniques built into a single executable.

Project OneFuzz then allows for the building of these test binaries into CI/CD pipelines and large-scale fuzz workflows in the cloud. The highlighted features of the tool include:

  • Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
  • Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
  • Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
  • On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
  • Observable and Debug-able: Transparent design allows introspection into every stage.
  • Fuzz on Windows and Linux OSes: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor.
  • Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages

The testing framework is already being used in other Microsoft services and platforms including Microsoft Edge and Windows. Now, with Project OneFuzz's availability being extended to developers all over the world, it can be accessed on GitHub here. Contributions from the open-source community have been welcomed by Microsoft, with the firm promising that future updates to the tool will be brought to the community as they occur.

Leave a Reply