Microsoft yesterday announced the release of a new tool called Project OneFuzz. Project OneFuzz is an extensible fuzz testing framework for Azure that is used by Microsoft Edge, Windows, and teams across Microsoft. Microsoft is now open sourcing the tool and it is now available to developers around the world under an MIT license.
Fuzz testing is a gold standard for finding and removing costly, exploitable security flaws. Availability of Project OneFuzz will help more developers in improving the security of their code.
Project OneFuzz enables:
- Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
- Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
- Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
- On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
- Observable and Debug-able: Transparent design allows introspection into every stage.
- Fuzz on Windows and Linux OSes: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor.
- Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages