Distributed Fuzzing Framework is what they call it at Microsoft, and it’s the realization of an idea that originated with one of the software designer engineers of its Access team.
In short, Microsoft used its own idling PCs in every part of the company, connected them all into one “botnet” and threw a massive amount of invalid, unexpected and random data at Office 2010 to test its code.
This resulted in the uncovering of more than 1,800 bugs, but Tom Gallagher, senior security test lead, insists on making sure that people know that this doesn’t mean that all the bugs found were linked to security issues, although he refuses to say how many actual vulnerabilities were discovered during the process.
According to him, this “botnet for fuzzing” has shortened the time required for such testing from days to hours. The client software becomes operative the moment the computer is idle (on weekends and after working hours) and recruits its resources. “We can do 12 million iterations without a lot of effort,” he says. “Set it up, go home, come in on Monday, and we have the results listing all the issues.”
Computerworld reports that so far, SharePoint, MSN client and Fast development teams have also taken advantage of the opportunity to harness the power of this network for testing, but the Windows developmers have yet to try it.
It seems that Microsoft has decided to take a leaf out of Charlie Miller’s book. They listened attentively when he had his presentation on fuzzing techniques at this year’s CanSecWest.
The security of Office 2010 will definitely benefit from this type of testing. Alongside the announced increased flexibility of the file blocker and a new sandbox, it looks like this office suite will really be on another security level altogether. Although, even Gallagher admits that they are not expecting to find EVERY bug in Office 2010.