At Microsoft’s Ignite conference in Atlanta yesterday, the company announced the availability of a new cloud-based service for developers that will allow them to test application binaries for security flaws before they’re deployed. Called Project Springfield, the service uses “whitebox fuzzing” (also known as “smart fuzzing”) to test for common software bugs used by attackers to exploit systems.
In standard fuzzing tests, randomized inputs are thrown at software in an effort to find something that breaks the code—a buffer overflow that would let malicious code be planted in the system’s memory or an unhandled exception that causes the software to crash or processes to hang. But the problem with this random approach is that it’s hard to get deep into the logic of code. Another approach, called static code analysis (or “whiteboxing”), looks instead at the source code and walks through it without executing it, using ranges of inputs to determine whether security flaws may be present.
Whitebox fuzzing combines some of the aspects of each of these approaches. Using sample inputs as a starting point, a whitebox fuzz tester dynamically generates new sets of inputs to exercise the code, walking deeper into processes. Using machine learning techniques, the system repeatedly runs the code through fuzzing sessions, adapting its approach based on what it discovers with each pass. The approach is similar to some of the techniques developed by competitors in the Defense Advanced Research Projects Agency’s Cyber Grand Challenge to allow for automated bug detection and patching.