A year ago Microsoft announced that it would begin working on a tool to replace its Security and Risks Detection software, to use an automated open source tool instead in an effort to stay ahead of the industry, experts from a malware analysis course mention.

Eventually the technology company has announced the launch of Project OneFuzz, a fuzzing framework for Azure that will be available to developers around the world through GitHub as an open source tool.

The cybersecurity community agrees that fuzzing is one of the most effective methods for detecting and correcting multiple security flaws that could cause severe problems in real-world scenarios, however, its implementation poses many other problems for security researchers, and that these tests require a complete security team, greatly increasing the costs of this process.

Project OneFuzz was born with the purpose of providing analysts with a much more practical mechanism for implementing fuzzing tests that also offered the same results as conventional methods. Processes that previously required equipment can be simplified through:

  • Automatic fault detection
  • Coverage tracking, once connected through tools such as iDNA, Dynamo Rio and Pin, can be integrated with sancov
  • Input utilization, once achieved through custom I/O harnesses, can be integrated with libfuzzer’s LLVMFuzzerTestOneInput function prototype

According to specialists in the malware analysis course, these new approaches will allow researchers to create unit test binaries with a fully compiled fuzzing lab in: reliable test invocation, input generation, coverage, and error detection in a single executable.

Researchers with early access to OneFuzz have already been able to deploy multiple tests on Windows that served as a proactive security mechanism prior to the release of the latest versions of the operating system. With a single command line, any developer will be able to deploy a fuzzing test for either a small deployment to more ambitious projects.

In the report, experts from the malware analysis course mention that OneFuzz will allow:

  • Composable fuzzing workflows: OneFuzz will allow users to incorporate their own fuzzers, exchange instrumentation, among other functions
  • Integrated set Fuzzing: Fuzzers work as a team to share strengths, exchanging entrances of interest between fuzzing technologies
  • Programmatic triage and results deduplication: provides cases of unique defects that always reproduce
  • Live on-demand debugging of found faults: allows you to convene a live debugging session on demand or from your build system
  • Observable and refinable: transparent design allows introspection at each stage
  • Fuzz on Windows and Linux operating systems: Fuzzing using its own build of operating system, kernel or nested hypervisor

As mentioned in previous paragraphs, OneFuzz is now available on GitHub under license from MIT. The tool will be updated thanks to contributions from Microsoft research groups and security teams. The technology company also announced that in the future it will continue the maintenance and expansion of Project OneFuzz, with the release of updates and receiving feedback.