What Happens When You Incorporate Artificial Intelligence (AI) into a Cloud-Based Fuzz Testing Service?

By Todd Barnes

For those of you that may know Springfield does not refer to the lovely locale in Illinois, Missouri or even Oregon for that matter. Springfield for my context refers to the code name for what is now Microsoft Security Risk Detection (MSRD) – a newly released Security as a Service offering. Springfield offers its customers fuzzing technology in an easy to use package currently for software running on Linux and Windows platforms. Springfield is a product of the Microsoft Artificial Intelligence and Research Team.

Fuzzing (or fuzz testing) is an automated technology that is useful for identifying bugs in data parsing software. Fuzzing produces unexpected, erroneous and sometimes random inputs to parsers in an attempt to break them. This causes exceptions, crashes and undefined behaviors that are the holy grail for hackers in the wild. The goal is to identify these edge and corner cases, hardening the software before it is released to prevent the kinds of breakdowns and intrusions we’ve been seeing. Microsoft has been using the technology to harden and secure Windows and Office products for years and has now packaged that technology running on Azure for sale.

Running in the cloud makes the service highly scalable. Customers are allocated their own Virtual Machine (VM) to configure their applications on. Once complete their setup is cloned and duplicated on a number of VMs, which perform the actual fuzzing. MSRD employs a variety of “fuzzers” on customer applications, which use different methods to generate the inputs. Certain fuzzers are known to be good on certain types of software so a variety is applied in attempt to find as many errors in the target software as possible. Some fuzzers are smart enough to use code coverage capabilities to identify the paths in the target software. Inputs can then be guided to exercise the various paths that are found. If all the paths are exercised there is a high likelihood that testing is complete. Each crash, exception and hang is recorded and the input captured so that the customer can easily reproduce the problem in a debugger.

I have learned a great deal about this technology since arriving in the group a little over a month ago.  The team is very friendly and helpful, which has allowed me to ramp up fairly quickly. I am also learning a great deal about how to deploy a commercial service in Azure as well as the difficulties of doing so. People are quite willing to sit and describe the architecture of the system to me, which I enjoy. I have always felt it is a distinct advantage to know the architecture of your product. It enhances your diagnostic capabilities to the maximum degree.

The team has just recently released the product into the Microsoft catalog and there are a number of very interesting and exciting enhancements in the pipeline. I am eager to see what the future will bring for this group.