Project Springfield is Microsoft’s unique fuzz testing service for finding security critical bugs in software. This is a tool which Microsoft uses internally for rooting out potential security vulnerabilities in software including Windows, Office and other products.
Project Springfield builds on that idea with what it calls “white box fuzz testing.” It uses artificial intelligence to ask a series of “what if” questions and make more sophisticated decisions about what might trigger a crash and signal a security concern. Each time it runs, it gathers data to hone in on the areas that are most critical. This more focused, intelligent approach makes it more likely that Project Springfield will find vulnerabilities other fuzzing tools might miss.
How does Project Springfield work?
- The customer logs into a secure web portal. Project Springfield provides a Virtual Machine (VM) for the customer on which to install the binaries of the software to be tested, along with a “test driver” program that runs the scenario to be tested, and a set of sample input files called “seed files” to use as a starting point for fuzzing.
- Project Springfield will continuously fuzz test using multiple methods, including Microsoft whitebox fuzzing technology.
- Project Springfield reports security vulnerabilities in real time on the secure web portal. Customers can download actionable test cases to reproduce the issue.
- Customer can prioritize and fix bugs. Then re-test to ensure the effectiveness of the fix.
Microsoft is extending invitations to Project Springfield external customers and the initial group of select customers can evaluate the service for free. Sign-up for preview here.