Jump to content

Microsoft open-sources fuzzing test framework


Recommended Posts

OneFuzz enables continuous developer-driven fuzz testing to identify weaknesses in software prior to release




Microsoft is looking to help developers continuously fuzz-test code prior to release, via the open source OneFuzz framework.


Described as a self-hosted fuzzing-as-a-service platform, OneFuzz enables developer-driven fuzzing to identify software vulnerabilites during the development process. Source code for OneFuzz is due to arrive on GitHub on September 18.


Fuzz testing is about increasing the security and reliability of native code by finding costly, exploitable security flaws. Fuzz testing involves throwing random inputs at software to find instances in which unforeseen actions could cause software to fail.


However, Microsoft noted that fuzz testing has been a double-edged sword for developers—mandated by the software development lifecycle and effective in finding actionable flaws, but difficult and expensive to implement, requiring dedicated security engineering teams to build fuzz testing capabilities and harness the results.


Enabling developers to run fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and frees security engineering teams to pursue more proactive work. The global release of OpenFuzz is intended to help developers harden the software that powers users’ daily work and personal lives, thus making an attacker’s job harder.


Executing a single command that can be baked into a CI/CD system, developers using OneFuzz can launch fuzz jobs spanning from a few virtual machines to thousands of cores. OneFuzz, which is extensible, serves as a replacement for the Microsoft Security Risk Detection software testing mechanism. OneFuzz has been used to develop the Microsoft Edge browser and Windows.



OneFuzz features and benefits:

  • Composable fuzzing workflows
  • Built-in ensemble fuzzing, with fuzzer teams sharing strengths and swapping inputs of interest between fuzzing technologies
  • On-demand live debugging of crashes
  • Programmatic triage and result deduplication
  • Crash reporting notification callbacks
  • Works with Windows and Linux


Microsoft cited compiler advances by Google as having transformed the security engineering tasks involved in fuzz testing native code. What was once implemented at considerable expense now can be baked into continuous build systems, the company said.



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...