Microsoft has open-sourced OneFuzz, its own internal continuous developer-driven fuzzing platform, allowing developers around the world to receive fuzz testing results directly from their build system.
Fuzzing is an automated software testing technique that involves entering random, unexpected, malformed and/or invalid data into a computer program. The goal is to reveal exceptions (e.g., crashes, memory leaks, etc.) and unexpected behaviors that could affect the program’s security and performance.
Azure-powered continuous developer-driven fuzzing
Project OneFuzz is an extensible, self-hosted Fuzzing-As-A-Service platform for Azure that aggregates several existing fuzzers and (through automation) bakes in crash detection, coverage tracking and input harnessing.
The tool is used by Microsoft’s internal teams to strengthen the security development of Windows, Microsoft Edge, and other software products.
“Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from,” Microsoft Security principal security software engineering lead Justin Campbell and senior director for special projects management Mike Walker noted.
“That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.”
The tool’s capabilities
As the two explained, OneFuzz will allow developers to launch fuzz jobs – ranging in size from a few virtual machines to thousands of cores – with a single command line baked into the build system.
The tool’s features include:
- Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
- Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
- Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
- On-demand live-debugging of found crashes: It lets users summon a live debugging session on-demand or from their build system.
- Transparent design that allows introspection into every stage.
- Detailed telemetry: Easy monitoring of all fuzzing
- Multi-platform by design: Fuzzing can be performed on Windows and varios Linux OSes, by using one’s own OS build, kernel, or nested hypervisor.
- Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages
- Code Coverage KPIs: Users can monitor their progress and motivate testing using code coverage as key metric.
OneFuzz will be available to the rest of the world in a few days (via GitHub). Microsoft will continue to update and expand it with contributions from the company’s various teams, and welcomes contributions and suggestions from the wider open-source community.