At the Microsoft Ignite conference in Atlanta In September 2016, Microsoft announced a preview of Project Springfield, a security-oriented cloud service that’s based on work from Microsoft Research. Roughly put, Project Springfield is Microsoft’s fuzz testing tool for finding critical security bugs in software.
According to its team of creators, it’s the million-dollar bug detector, because each time the system finds a likely serious bug proactively before a piece of software is released, it is saving a developer the costly effort of having to release a patch reactively once the product is already public. This can save a million USD, at least with big software applications like Microsoft Office.
That all sounds great. But how does Springfield actually work? This article explains the product from a technical perspective.
Fuzz testing with a taste of AI
Fuzz testing is an important part of the Security Development LifeCycle (SDLC).
Fuzz testing means deliberately introducing malformed or random data into an application in order to reveal potential security issues. Simply put, the goal is to crash your system. It is a part of your whitebox testing strategy.
However, in the Springfield case, Microsoft is also adding a taste of artificial intelligence, or AI. Project Springfield uses AI to ask a set of “what if” questions, resulting in more refined decisions about what might trigger a crash and signal a security concern. Each time it runs, it gathers data to home in on the areas that are most critical.
Figure 1 provides a broad overview of how Project Springfield works.
Figure 1: The Project Springfield process
Here is a brief description of the steps that the tool follows:
- The customer logs into a secure web portal (Microsoft Azure-based). Project Springfield provides a Virtual Machine (VM) for the customer, on which the binaries of the software to be tested can be installed. It also provides a “test driver” program that runs the scenario to be tested, and a set of sample input files called “seed files” to use as a starting point for fuzzing.
- Project Springfield will continuously fuzz test using multiple methods, along with Microsoft whitebox fuzzing technology.
- Project Springfield reports security vulnerabilities in real time on the secure web portal. Customers can download actionable test cases to reproduce the issue.
- Customers can prioritize and fix bugs. They then re-test to ensure the effectiveness of the fix.
Project Springfield is a replacement for SAGE, a similar tool that Microsoft has offered since the mid-2000s. Microsoft’s SAGE is also a whitebox fuzz testing tool, but Project Springfield has enriched it with a simple dashboard to make it usable for people with just a basic security background.
- Project Springfield is Microsoft’s next generation whitebox fuzz testing tool for the Security Development Software LifeCycle.
- The tool is stored in a virtual machine.
- It’s easy and safely accessible via the cloud.
- It’s easy to use because of a simple dashboard.
- It’s powerful because of the AI under the hood.