OneFuzz enables continuous developer-driven fuzz testing to identify weaknesses in software prior to release
However, Microsoft noted that fuzz testing has been a double-edged sword for developers—mandated by the software development lifecycle and effective in finding actionable flaws, but difficult and expensive to implement, requiring dedicated security engineering teams to build fuzz testing capabilities and harness the results.
Enabling developers to run fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and frees security engineering teams to pursue more proactive work. The global release of OpenFuzz is intended to help developers harden the software that powers users’ daily work and personal lives, thus making an attacker’s job harder.
Executing a single command that can be baked into a CI/CD system, developers using OneFuzz can launch fuzz jobs spanning from a few virtual machines to thousands of cores. OneFuzz, which is extensible, serves as a replacement for the Microsoft Security Risk Detection software testing mechanism. OneFuzz has been used to develop the Microsoft Edge browser and Windows.
OneFuzz features and benefits:
- Composable fuzzing workflows
- Built-in ensemble fuzzing, with fuzzer teams sharing strengths and swapping inputs of interest between fuzzing technologies
- On-demand live debugging of crashes
- Programmatic triage and result deduplication
- Crash reporting notification callbacks
- Works with Windows and Linux
Microsoft cited compiler advances by Google as having transformed the security engineering tasks involved in fuzz testing native code. What was once implemented at considerable expense now can be baked into continuous build systems, the company said.