Project Springfield offers fuzzing, which isn’t nearly as titillating as it sounds
Ignite Microsoft’s conviction that “fuzzing in the cloud will revolutionize security testing,” voiced in a research paper six years ago, has taken form with the debut of Project Springfield: an Azure-based service for identifying software flaws by automatically subjecting the code to bad input.
Introduced at the Ignite conference in Atlanta, Georgia, on Monday, Project Springfield offers developers the ability to conduct continuous testing of binary files on virtual machines running atop Microsoft Azure, in order to identify and eliminate bugs.
Allison Linn, self-described writer and storyteller for Microsoft, says that Microsoft’s research team thinks about Project Springfield as a “million-dollar bug detector” (not to be confused with the Million Dollar Homepage) because some software bugs cost that much to fix if left too long. Your costs may vary.
A 2002 study released by the US National Institute of Standards and Technology estimated that software bugs cost the US economy between $22.2 and $59.5 billion annually (more like $79 billion today). Catching bugs before software gets released presumably can bring repair costs down, if that’s your goal.
Microsoft insists a third of the “million dollar” security bugs in Windows 7 were found using its “whitebox fuzzing” technology, referred to internally as SAGE (scalable, automated, guided execution). SAGE is one of the components of Project Springfield.
Like other announcements echoing around Silicon Valley these days, artificial intelligence comes into play. Microsoft says its system employs AI to ask questions and make better decisions about conditions that might cause code to crash.
Microsoft’s whitebox fuzzing algorithm symbolically executes code from a starting input and develops subsequent input data based on constraints from the conditional statements it encounters along the way. The technology is distinct from blackbox fuzzing, which involves the sending of malformed input data without ensuring all the target paths have been explored. Blackbox fuzzing thus has the potential to miss a critical test condition by chance.
Fuzzing lends itself to cloud computing because fuzzing software can run different tests in parallel using large amounts of available infrastructure. But Microsoft researchers Patrice Godefroid and David Molnar, in their 2010 research paper, argue that such computational elasticity matters less than the benefits of shared cloud infrastructure.
“Hosting security testing in the cloud simplifies the process of gathering information from each enrolled application, rolling out updates, and driving improvements in future development,” they wrote.
It also, it is claimed, simplifies billing. ®