Application security

Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns

In September 2020, the Microsoft Security Team announced that Microsoft’s new open-source fuzzing platform, Project OneFuzz, was available as an open-source developer tool in GitHub. 

Microsoft’s Project OneFuzz framework is used by Microsoft Azure, Edge, Windows and teams across Microsoft. Microsoft describes Project OneFuzz as a self-hosted Fuzzing-as-a-Service (FaaS) platform. It enables developers to easily and continuously fuzz test their software and applications, identify security flaws and fix bugs prior to release.

What is fuzzing?

Fuzzing or fuzz testing was originally developed by Professor Barton Miller at the University of Wisconsin-Madison in 1989. Fuzzing is an automated software testing technique used in discovering software vulnerabilities by randomly parsing invalid or malformed data. 

In a fuzz test, the application is executed repeatedly with invalid and unexpected data with the goal of discovering security flaws. Fuzzing is also a mandatory in the software development life cycle (SDLC). However, it is very complicated and expensive to harness, execute and extract information from.

How can Microsoft’s Project OneFuzz Framework be used?

The OneFuzz Framework can be embedded into continuous build systems (i.e., Continuous Integration and Continuous Deploy or CI/CD) by executing a single command. Developers can launch fuzz jobs of various sizes from a number of virtual machines to thousands of cores. It also enables developers to create unit test binaries with modern fuzzing labs. 

The framework is also a replacement of the Microsoft Security and Risk Detection software testing model. Project OneFuzz has been used in the fuzzing of the latest OS builds of Windows.

Features of Project OneFuzz

As described on Microsoft’s own OneFuzz GitHub, the features of Project OneFuzz include the following:

• Composable fuzzing workflows: Open-source allows users to onboard their own fuzzers, swap instrumentation and manage seed inputs.
• Built-in ensemble fuzzing: By default, fuzzers work as a team that shares strengths, swapping inputs of interest between fuzzing technologies.
• Programmatic triage and result deduplication: Get unique flaw cases that always reproduce.
• On-demand live debugging of found crashes: Summon a live debugging session on-demand or from your build system.
• Observable and debuggable: Transparent design allows introspection into every stage.
• Fuzz on Windows and Linux Operating Systems (OSes): Multi-platform by design.
• Crash reporting notification callbacks: Currently supporting Microsoft Teams messages and Azure DevOps Work Items.

Pros of OneFuzz

Fuzzing helps to improve software security testing by detecting application security vulnerabilities and bugs in software/applications/systems which may have been overlooked or not detected during the software development and debugging phase. Fuzzing is also used to test software/applications when processing untrusted inputs (that a user or another application may control).

Cons of OneFuzz

Fuzzing is commonly used by attackers to find vulnerabilities such as buffer overflow, SQL injection, unhandled exceptions, memory leaks and so on in the systems. Project OneFuzz can be used by bad actors to detect and exploit vulnerabilities and bugs in applications/software. This can be done by creating a list of fuzz vectors (i.e., well-known dangerous values) for various input field types such as numbers, characters, metadata etc.

 

Sources

A brief introduction to fuzzing and why it’s an important tool for developers, Microsoft Research Blog

Project OneFuzz Framework, Microsoft Security Blog

Project OneFuzz Framework, GitHub (Microsoft)

Fuzzing, OWASP

Fuzzing: Hack, Art, and Science, Patrice Godefroid