Developers keen to test their newly created software against some of the more common exploits out there now have a new avenue to do so. Announced at Microsoft’s Ignite Conference this week, the software giant debuted Project Springfield, a platform which can throw simple attack vectors at application binaries to test them for a number of security flaws.
Although automated testing is a relatively common method of testing the security of a piece of software, Microsoft is coining a new type of exploit hunting for its new platform. “Whitebox fuzzing,” as it is called, is said to combine different testing methods from traditional whiteboxing and fuzzing, hence the name.
It uses similar varied inputs at different levels of the code base to simulate attacks and test for potential weaknesses, all the while using machine learning to refine the input process so that it more intelligently tests the software over and over, according to Ars Technica. This is more likely to mirror a human tester or a potential hacker who would try to deliberately break the system.
The big advantage being that it is remote, so no local access is required and the tests and be repeated and altered time and again for much more thorough testing.
This is a process that Microsoft has been using internally for some time now. The basis for Project Springfield, known as SAGE, was first used to test different aspects of Windows 7 prior to its release. It ultimately discovered as much as a third of all pre-release bugs discovered by fuzzing tools, despite being used as a last line of defense after all other automated testing was complete.
Now that sort of system is available to developers through a easy-to-use user interface and it is available through the Azure Cloud platform, so it is easily accessible. Linux support is planned for the future, but for now Windows binaries are the only ones that it will work with.
Available on a limited preview, Microsoft is openly looking for clients who are interested in using the service to test its popularity and viability on a wider set of binaries.
- Microsoft wants to stuff Linux, not Windows 10, into Internet of Things devices
- Microsoft misses another Edge-related 90-day security disclosure deadline
- Microsoft will pay you up to $250,000 to find Spectre-like flaws
- Intel decides not to patch Spectre vulnerability for older processors
- First Spectre, now BranchScope — another vulnerability in Intel processors