Microsoft Announces OneFuzz Framework |
Written by Kay Ewbank | |||
Friday, 18 September 2020 | |||
Microsoft has announced Project OneFuzz framework, an open source developer tool to find and fix bugs at scale. The automated, open-source tool will replace the Microsoft Security and Risk Detection tool. Project OneFuzz is an extensible fuzz testing framework for Azure that will be available through GitHub as an open-source tool. Microsoft developers in the Edge and Windows teams are already using the framework. While fuzz testing is an effective method for finding and removing exploitable security flaws, it can be complicated to make use of and to extract information from. This has meant fuzz testing has been seen as requiring dedicated security engineering teams to build and operate. The aim is to let developers perform fuzz testing, so shifting the discovery of vulnerabilities to earlier in the development lifecycle. Microsoft says that recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code. Experimental support for fuzz testing techniques is being added to Visual Studio, and Microsoft says once the test binaries can be built by a compiler, today’s developers are left with the challenge of building them into a CI/CD pipeline and scaling fuzzing workloads in the cloud. Project OneFuzz supports the creation of composable fuzzing workflows that can include other fuzzers and different instrumentation. It comes with built-in ensemble fuzzing where inputs of interest can be swapped between fuzzing technologies. OneFuzz also provides flaw cases that always reproduce errors to assist with testing, along with on-demand live-debugging of found crashes. This means developers can summon a live debugging session on-demand or from their build system. The software can be used on Windows and Linux, running on your own OS build, kernel, or nested hypervisor. More InformationOpen Source Fuzzing Session At CppCon 2020 Related ArticlesGoogle Launches Fuzzer Benchmarking Service Microsoft Launches Cloud Fuzzing Service New tool detects RegEx security weakness Tactical Pentesting With Burp Suite
To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
Comments
or email your comment to: comments@i-programmer.info |
|||
Last Updated ( Friday, 18 September 2020 ) |