Microsoft open-sources fuzzing tool used for bug-ridden Windows 10

magnifying glass showing bug on binary code

Microsoft has publicly released the vulnerability testing tool it uses to detect bugs in its flagship products including the Windows 10 operating system, which has been blighted with glitches in recent months.

After previously revealing it would replace its existing software testing programme, known as Microsoft Security and Risk Detection, Microsoft has made its automated and open source tool available through Github for developers around the world.

This transition to fuzzing, dubbed Project OneFuzz, sits in line with the wider industry’s movement to this method of vulnerability detection. Google, for example, has deployed fuzzing for some time, and even launched a Fuzzing benchmarking tool in March this year for developers to compare the viability of different services.

The technique is known to be a highly effective method for raising the level of security and reliability of native code, and involves developers feeding random excerpts of programming into a bug detection engine.

Project OneFuzz is an extensive fuzz testing framework that can be deployed through the Azure public cloud, and is the same testing framework used to detect bugs in various Microsoft products including Windows, Edge and other projects.

“Microsoft’s goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment,” said Microsoft Security’s principal security software engineer lead Justin Campbell and senior director for special projects management Mike Walker.

“The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker’s job more difficult.

Recent advancements have transformed the security engineering tasks involved in fuzz testing native code, with several useful functionalities including crash detection, coverage tracking and input harnessing now baked into fuzzing.

Project OneFuzz has already allowed developers to continuously scan Windows operating system builds for errors and harden updates prior to launch, Microsoft claims. Windows 10, however, has suffered from recent waves of glitches and bugs, particularly as a result of both major and minor updates.

Windows 10’s May 2020 Update, for example, has produced a litany of issues for users of all varieties over the last few months, ranging from strange networking and connectivity issues to problems affecting Lenovo devices specifically.


Why containerisation needs context

The problems with infrastructure monitoring in the age of Kubernetes


The latest Patch Tuesday, too, saw Microsoft release 129 fixes across its various products including 23 patches for critical flaws, signalling that big updates have become the new normal for the Windows developer.

Microsoft would hope that the continued deployment of Project OneFuzz would eventually begin to iron out errors and bugs prior to patches and updates being released.

Project OneFuzz gives developers the capability to launch fuzz jobs running from a few virtual machines to thousands of cores. Features include composable fuzzing workloads, built-in ensemble fuzzing, on-demand live-debugging of crashes, and crash reporting notification callbacks, among many others.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is the Features Editor for ITPro, CloudPro and ChannelPro. He oversees the commissioning and publication of in-depth and long-form features across all three sites, including opinion articles and case studies. He also occasionally contributes his thoughts to the IT Pro Podcast, and writes content for the Business Briefing. Keumars joined IT Pro as a staff writer in April 2018. He specialises in the public sector but writes across a breadth of core topics including cyber security and cloud computing.