Users can access the open source tools under an MIT license on Microsoft’s GitHub platform. If you’re unfamiliar with fuzz testing, it is a common method for locating and deleting security flaws. Specifically, fuzz testing has become popular because it is highly effective at maintaining the security of native code. However, fuzz has often meant developers must make compromises. Most notably, while it is effective testing is typically complicated to use. Microsoft points out fuzz testing has been expensive for developers, despite its usefulness. The company wants dev’s to harness testing earlier, allowing them to find security problems earlier in the development cycle. In a blog post, Microsoft points out doing so will remove workloads from security teams and allow them to pursue other areas. That’s where Project OneFuzz comes in. It allows users to constantly fuzz test code before it is released.
Project OneFuzz Features
“Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs. Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies. Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce. On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system. Observable and Debug-able: Transparent design allows introspection into every stage. Fuzz on Windows and Linux OSes: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor. Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages”