Microsoft is releasing a new open-source tool to help developers find and fix bugs at scale. Project OpenFuzz is a fuzz testing framework for Azure.
According to Microsoft, fuzz testing is an effective method for improving code quality, and is a gold standard for finding and removing exploitable security vulnerabilities. Although it is effective, it’s also often complicated to use, execute, and extract information from. With OpenFuzz, the company hopes to eliminate some of that complexity.
Developers can use OpenFuzz to launch a fuzzing job from just a single command line.
Key capabilities of Project OneFuzz include
- composable fuzzing workflows,
- built-in ensemble fuzzing,
- programmatic triage and result deduplication,
- on-demand live-debugging of found crashes,
- introspection at every stage,
- the ability to fuzz on Windows and Linux,
- and crash reporting notification callbacks.
The project is currently available on GitHub and is being updated by Microsoft Research & Security Groups. The company plans to continue maintaining and expanding the project.
“Microsoft’s goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment. The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker’s job more difficult,” Justin Campbell, principal security software engineering lead at Microsoft Security, and Mike Walker, special projects management at Microsoft Security, wrote in a post.