Microsoft Announces OneFuzz Framework
Written by Kay Ewbank   
Friday, 18 September 2020

Microsoft has announced Project OneFuzz framework, an open source developer tool to find and fix bugs at scale. The automated, open-source tool will replace the Microsoft Security and Risk Detection tool.

Project OneFuzz is an extensible fuzz testing framework for Azure that will be available through GitHub as an open-source tool. Microsoft developers in the Edge and Windows teams are already using the framework.

springfield

While fuzz testing is an effective method for finding and removing exploitable security flaws, it can be complicated to make use of and to extract information from. This has meant fuzz testing has been seen as requiring dedicated security engineering teams to build and operate. The aim is to let developers perform fuzz testing, so shifting the discovery of vulnerabilities to earlier in the development lifecycle.

Microsoft says that recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code. 

Experimental support for fuzz testing techniques is being added to Visual Studio, and Microsoft says once the test binaries can be built by a compiler, today’s developers are left with the challenge of building them into a CI/CD pipeline and scaling fuzzing workloads in the cloud.

Project OneFuzz supports the creation of composable fuzzing workflows that can include other fuzzers and different instrumentation. It comes with built-in ensemble fuzzing where inputs of interest can be swapped between fuzzing technologies.

OneFuzz also provides flaw cases that always reproduce errors to assist with testing, along with on-demand live-debugging of found crashes. This means developers can summon a live debugging session on-demand or from their build system. The software can be used on Windows and Linux, running on your own OS build, kernel, or nested hypervisor.

springfield

More Information

OneFuzz On GitHub

Open Source Fuzzing Session At CppCon 2020

Related Articles

Google Launches Fuzzer Benchmarking Service

Microsoft Launches Cloud Fuzzing Service

New tool detects RegEx security weakness

Tactical Pentesting With Burp Suite

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


JetBrains Improves Kubernetes Support In IDE Upgrades
12/11/2024

JetBrains has improved its IDEs with features to suggest the logical structure of code, to streamline the debugging experience for Kubernetes applications, and provide comprehensive cluster-wide Kuber [ ... ]



Fermyon's Spin WebAssembly Version 3.0 Released
26/11/2024

The open source developer tool for building, distributing, and running serverless WebAssembly applications reaches version 3.0. What's new?


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 18 September 2020 )