Microsoft has open-sourced the fuzzing tool it uses to scour its own code for potential security vulnerabilities.
Fuzzing is a way of testing software by feeding it random inputs in the hope it fails in revealing ways. The technique is widely admired because it gets results and can be automated.
The tool Microsoft has released is called “OneFuzz” and the company says it is “the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.”
“OneFuzz has already enabled continuous developer-driven fuzzing of Windows that has allowed Microsoft to proactively harden the Windows platform prior to shipment of the latest OS builds,”said Microsoft Security principal security software engineering lead Justin Campbell and senior director for special projects management Mike Walker.
Linus Torvalds lauds fuzzing for improving Linux securityREAD MORE
That pedigree may not fill you with confidence seeing as Microsoft’s September patch dump fixed 129 flaws, its August effort addressed 120 problems and in July it found 123 dangerous flaws. 54 of the bugs reported in the quarter were rated “Critical”, or 14.5 percent.
The tool’s been open-sourced because: “Microsoft’s goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment.”
“The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker’s job more difficult,” Campbell and Walker added.
The pair promise that the tool offers a single command line capable of launching “fuzz jobs ranging in size from a few virtual machines to thousands of cores.” Visual Studio is adding support for that sort of thing and other features in the tool.
OneFuzz has been released under an MIT license and is yours for the downloading and/or footling with from GitHub. ®