Project OneFuzz, Microsoft’s fuzz-testing security tool collection, goes open source

Project OneFuzz is a testing framework for Azure and a collection of various cyber security testing tools that help to identify bugs.

Employing Google’s open-source fuzzing bots, a myriad of bugs have been pinpointed in open-source software projects over time.

For those interested, Project OneFuzz is now available at GitHub along other Microsoft open-source projects such as:

  • .NET Core
  • Visual Studio Code
  • TypeScript programming language for JavaScript

Microsoft described Project OneFuzz as an “extensible fuzz testing framework for Azure” – so what is fuzzing?

In essence, the technique revolves around slamming a piece of software with random code to invoke a crash – this not only reveals potential cyber security issues but also performance problems.

Google has been pushing security researchers and coders towards using the fuzzing technique for quite a while.

At one point, Microsoft announced that an open-source fuzzing tool would replace Microsoft Security and Risk Detection.

According to the company, it is due to Project OneFuzz that Windows 10 has been hardened.

In addition, the project has helped with boosting the security of Microsoft Edge.

Microsoft’s senior director of special projects management Mike Walker and principal security software engineering lead Justin Campbell commented that fuzz testing is great for making native code more secure and reliable.

On the flipside, however, traditional fuzz testing tends to be rather complicated when it comes to extracting usable information from its results, despite its overall effectiveness.

The complexity that surrounds it requires dedicated security engineering teams to code and perform fuzz-testing capabilities, a process that can become quite expensive.

The technique has been brought to a new technological level recently though.

Thanks to these advancements, it is now cheaper to do, and baking these processes into continuous build systems is now a possibility.