Microsoft is all set to replace its traditional software testing tool with a new open-source tool called Project OneFuzz. Earlier this year, Microsoft revealed the company would eventually come up with a new developer tool that will find and fix bugs on its own. This tool will redefine the way Microsoft conducts software testing at scale.
What is Project OneFuzz?
Every software has bugs. When a software bug is exploited for malicious activities, it’s called the software vulnerability. Software vulnerabilities can be categorized as either known or unknown vulnerabilities. Unknown vulnerabilities, also known as zero-day vulnerabilities, are dangerous.
Zero-day vulnerabilities allow attackers to operate unnoticed for an extended period. This is where Fuzz testing or Fuzzing comes into the picture. With the help of Fuzzing, software testers manipulate input data to send until the malformed input causes the software to crash.
Traditionally, fuzz testing has been complicated and expensive since it requires dedicated security engineering teams to build and operate those software testing capabilities.
Microsoft’s Project OneFuzz enables developers to perform fuzz testing so that they can discover vulnerabilities earlier in the development lifecycle. It’s an automated, open-source tool for developers that comprises an extensible fuzz testing framework for Azure.
In a recent blog post, Microsoft wrote:
“Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape.”
“Project OneFuzz has already enabled continuous developer-driven fuzzing of Windows that has allowed Microsoft to proactively harden the Windows platform prior to shipment of the latest OS builds.”
Project OneFuzz enables crash detection, coverage tracking, and Input harnessing. Following is the full list of Project OneFuzz features:
- Composable fuzzing workflows
- Built-in ensemble fuzzing
- Programmatic triage and result deduplication
- On-demand live-debugging of found crashes
- Observable and Debug-able
- Fuzz on Windows and Linux OSes
- Crash reporting notification callbacks
The Project OneFuzz is available on GitHub for developers.