Microsoft opens up its 'million dollar' bug-finder

Project Springfield, which includes Microsoft's in-house testing technology for Windows and Office apps, uses whitebox fuzzing technology to sniff out flaws that could lead to crashes

Microsoft opens up its 'million dollar' bug-finder
Credit: Thinkstock

Microsoft is previewing a cloud-based bug detector, dubbed Project Springfield, that it calls one of its most sophisticated tools for finding potential security vulnerabilities.

Project Springfield uses "whitebox fuzzing," which uncovered one-third of the "million dollar" security bugs during the development of Windows 7. Microsoft has been using a component of the project called SAGE since the mid-2000s to test products prior to release, including fuzzing both Windows and Office applications. 

For this project, SAGE is bundled with other tools for fuzz testing, featuring a dashboard and other interfaces that enable use by people without an extensive security background. The tests are run using Microsoft's Azure cloud.

With fuzz testing, the system throws random inputs at software to find instances in which unforeseen actions cause software to crash. This testing, according to Microsoft researcher David Molnar, is ideal for software regularly incorporating inputs like documents, images, videos, or other information that may not be trustworthy. Bad actors are sought out that could launch malicious attacks or crash a system. Whitebox fuzz testing uses artificial intelligence to ask a series of "what if" questions and make decisions about what might cause a crash and signal a security concern.

The code-name, Springfield, previously was used at Microsoft for the now-defunct Popfly web page and mashup creation service. There's no relation between the two projects, a Microsoft representative said. Microsoft is extending preview invitations for Project Springfield to customers, with an initial group to evaluate it for free.

From CIO: 8 Free Online Courses to Grow Your Tech Skills