Microsoft has recently launched Project Springfield. This project allows for “fuzzing”, which I believed to revolutionize the way security is tested. Bug hunting on the Azure cloud is now open for business, and many people have already joined.
Microsoft is convinced that security testing can be revolutionized by “fuzzing” in the cloud. This is a statement that they made in 2010, and one that they have clearly been committed to ever since. They have now launched Project Springfield, which is a service based on Azure that by putting code to bad input automatically allows software flaws to be identified.
At the recent Microsoft Ignite conference, which was held in Atlanta, GA, the project was introduced and explained. Essentially, it has given developers the opportunity to continuously conduct tests of any binary files found on virtual machines that operate under Microsoft Azure. In so doing, they should be able to identify bugs and eliminate them.
According to Microsoft, the team currently sees Project Springfield as the best bug detector in the world (a “million dollar” one to be exact). This is because, if a bug is left, it may actually cost as much as a million dollars to fix it. Naturally, these costs vary depending on the nature of the bug and how long it is left.
The U.S. National Institute of Standards and Technology released a study in 2002 in which they estimated that between $22.2 billion and $59.5 billion is spent every year on software bugs. Considering this piece of research is quite old, it is estimated that it costs the U.S. economy closer to $79 billion per year now. As such, if it is possible to catch a software bug before it actually gets released to the public, then repair costs could be significantly decreased.
According to Microsoft, as much as 33% of their Windows 7 security bugs were found through the technology known as “whitebox fuzzing”. They changed the name from SAGE (scalable, automated, guided execution), with SAGE now being an integral part of Project Springfield instead.
Of course, Microsoft has also pointed towards the need for better artificial intelligence, which is the hot topic in Silicon Valley right now. According to the software giant, Microsoft’s new system uses artificial intelligence in order to ask questions while at the same time enabling it to make decisions that they believe will cause a crash in the code.
The whitebox fuzzing Microsoft algorithm executes code from a specific start input. In then develops further input data by looking at and understanding the conditional statements that it comes across along the way. This is very different from “blackbox fuzzing”, because this means malformed input data is actually sent without first checking that all the possible target paths have been reviewed. This means that blackbox fuzzing could possibly miss critical test conditions without anybody ever knowing about it.
Fuzzing is a fantastic tool within cloud computing. This is because software that can fuzz is also able to run multiple tests parallel to each other, using huge parts of the infrastructure that is available to them. However, the main benefit is that there is a shared cloud infrastructure, not that it has computational elasticity. This is something Microsoft already discussed in their 2010 research paper written by David Molnar and Patrice Godefroid.
A representative from Flair4IT.co.uk, who was present at the conference, said: “It is really clever that they now host their security testing on their own cloud. This makes the whole process of getting information together so much easier. It also ensures improvements in future tools can be driven, updates can easily be rolled out, bills are more simplified, and more.”