This native code security talk is a joint presentation by Principals from Windows Security (COSINE) and Microsoft Research. The work by Google and other contributors to the llvm ecosystem on libfuzzer, ASan, and sancov have \u201cshifted left\u201d the field of fuzz testing from the hands of hackers and security auditors directly to CI\/CD developers. Rather than waiting for an auditing gate, developers should be able to receive fuzz testing results directly from their build system: quickly, cheaply, and reliably without false positives. To this end, Microsoft is adopting this testing paradigm via continuous cloud-based fuzzing of dedicated test binaries.<\/p>\n
Microsoft is currently fuzzing Windows continuously in Azure using libfuzzer and a fuzzing platform developed at Microsoft Research that we are releasing as Open Source at CppCon. Developers continuously building libfuzzer-based test binaries utilizing sanitizers and coverage instrumentation can now launch fuzzing jobs in the cloud with a single command line. This talk will introduce the framework and its capabilities including a live demo. Features include:<\/p>\n
\u2022 Composable fuzzing workflows: Open Source allows users to onboard their own fuzzers, swap instrumentation, introduce corpora,
\n\u2022 Built-in ensemble fuzzing: By default, fuzzers work as a team that shares strengths, swapping inputs of interest between fuzzing technologies
\n\u2022 Programmatic triage & result deduplication: Get unique flaw cases that always reproduce
\n\u2022 On-demand live-debugging of found crashes: Summon a live debugging session on-demand or from your build system
\n\u2022 Observable & Debug-able: Transparent design allows introspection into every stage
\n\u2022 Detailed telemetry: Easily monitor all your fuzzing from \u2018fuzztop\u2019
\n\u2022 Fuzz on Windows & Linux OSes: Multi-platform by design
\n\u2022 Crash reporting notification callbacks: Currently supporting Microsoft Teams
\n\u2022 Code Coverage KPIs: Monitor your progress and motivate testing using code coverage as key metric<\/p>\n
—
\nJustin Campbell is a Principal at Microsoft COSINE whose group is focused on Windows OS security: vulnerability testing at scale, sandboxing and mitigations. Justin was previously VP of Cyber Operations at Novetta and served as CTO at Ocean\u2019s Edge.<\/p>\n
Mike Walker is a Senior Director at MSR Special Projects. Prior to joining Microsoft, Mike led DARPA\u2019s Cyber Grand Challenge, a two-year $58M contest to construct & compete the first prototypes of reasoning cyberdefense systems. Mike has worked in a policy advisory role, testifying to the President\u2019s Commission on Cybersecurity, and has played in \u201cthe world series of hacking\u201d: DEF CON CTF finals. Mike has coached CTF teams and built CTFs throughout his career.<\/p>\n","protected":false},"excerpt":{"rendered":"
This native code security talk is a joint presentation by Principals from Windows Security (COSINE) and Microsoft Research. The work by Google and other contributors to the llvm ecosystem on libfuzzer, ASan, and sancov have \u201cshifted left\u201d the field of fuzz testing from the hands of hackers and security auditors directly to CI\/CD developers. Rather […]<\/p>\n","protected":false},"featured_media":736615,"template":"","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"footnotes":""},"research-area":[13558],"msr-video-type":[],"msr-locale":[268875],"msr-impact-theme":[],"msr-pillar":[],"class_list":["post-736612","msr-video","type-msr-video","status-publish","has-post-thumbnail","hentry","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_download_urls":"","msr_external_url":"https:\/\/www.youtube.com\/watch?v=NsmRPRxhLn0","msr_secondary_video_url":"","msr_video_file":"","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-video\/736612"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-video"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/msr-video"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-video\/736612\/revisions"}],"predecessor-version":[{"id":736618,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-video\/736612\/revisions\/736618"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media\/736615"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=736612"}],"wp:term":[{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=736612"},{"taxonomy":"msr-video-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-video-type?post=736612"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=736612"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=736612"},{"taxonomy":"msr-pillar","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-pillar?post=736612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}