At the Microsoft Ignite conference in Atlanta today, Microsoft announced a preview of Project Springfield, a security-oriented cloud service that’s based on work from Microsoft Research.
Project Springfield can be considered a tool for fuzz testing, which involves giving software random input in order to uncover vulnerabilities that people could exploit. But the project’s use of artificial intelligence distinguishes it from other fuzz testing approaches. As Microsoft senior content manager Allison Linn explained in a blog post:
Project Springfield builds on that idea with what it calls “white box fuzz testing.” It uses artificial intelligence to ask a series of “what if” questions and make more sophisticated decisions about what might trigger a crash and signal a security concern. Each time it runs, it gathers data to hone in on the areas that are most critical.
Microsoft has used a part of Project Springfield called SAGE to find bugs in Windows and Office since the mid-2000s, Linn wrote. Now a full-fledged offering will become available for other organizations to use, and companies won’t need to run it on their own infrastructure.
“Project Springfield works on binaries, with no source code or private symbols needed,” Microsoft says on a website about Project Springfield. “You need to be able to install the software you deploy on a virtual machine that runs in Azure, provide a ‘test driver’ that exercises your software, and a set of sample inputs. Project Springfield uses these to create many test cases for exercising your program.”
Companies can now apply for access to the tool for free during the preview.
To learn more about white-box fuzz testing, you can watch Microsoft researcher Patrice Godefroid talk about the method in a 2009 video.