Skip to main content

Microsoft has open sourced its tool for sniffing out Windows 10 bugs

(Image credit: Shutterstock)

Microsoft has open sourced its internal fuzzing tool - Project OneFuzz - which is designed to automatically detect software security vulnerabilities, the company has revealed.

The fuzz testing framework is built for Azure and has been used by the firm to interrogate various products, including Windows 10, Microsoft Edge and more.

The release of Project OneFuzz delivers on promises made earlier this year to transition away from the Microsoft Security Risk Detection (MSRD) service and towards an automated, open-source equivalent.

In a blog post, the Redmond giant confirmed the tool is available immediately, for any development team that might want to use it.

Windows 10 bug hunt

According to Microsoft, advancements in the world of compilers has made fuzz testing code for vulnerabilities far cheaper and more accessible than ever before.

The company credits Google’s pioneering work in the space, which has served to streamline engineering tasks such as crash detection, coverage tracking and input harnessing.

“Fuzz testing is a highly effective method for increasing the security and reliability of native code - it is the gold standard for finding and removing costly, exploitable security flaws,” explained Justin Campbell and Mike Walker of Microsoft Security.

“Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute and extract information from.” 

According to the pair, making the Project OneFuzz framework widely available will mean bugs are discovered earlier in the development process and allow security staff to actively hunt down vulnerabilities.

The tool can reportedly be used to launch fuzz tasks, “ranging in size from a few virtual machines to thousands of cores”, with just a single line of code.

Project OneFuzz is available to download immediately via GitHub, published under the highly permissive MIT license, and will continue to receive regular updates from Microsoft.