Although automated testing is a relatively common method of testing the security of a piece of software, Microsoft is coining a new type of exploit hunting for its new platform. “Whitebox fuzzing,” as it is called, is said to combine different testing methods from traditional whiteboxing and fuzzing, hence the name.
It uses similar varied inputs at different levels of the code base to simulate attacks and test for potential weaknesses, all the while using machine learning to refine the input process so that it more intelligently tests the software over and over, according to Ars Technica. This is more likely to mirror a human tester or a potential hacker who would try to deliberately break the system.
The big advantage being that it is remote, so no local access is required and the tests and be repeated and altered time and again for much more thorough testing.
This is a process that Microsoft has been using internally for some time now. The basis for Project Springfield, known as SAGE, was first used to test different aspects of Windows 7 prior to its release. It ultimately discovered as much as a third of all pre-release bugs discovered by fuzzing tools, despite being used as a last line of defense after all other automated testing was complete.
Now that sort of system is available to developers through a easy-to-use user interface and it is available through the Azure Cloud platform, so it is easily accessible. Linux support is planned for the future, but for now Windows binaries are the only ones that it will work with.
Available on a limited preview, Microsoft is openly looking for clients who are interested in using the service to test its popularity and viability on a wider set of binaries.
