CppCon 2020

This native code security talk is a joint presentation by Principals from Windows Security (COSINE) and Microsoft Research. The work by Google and other contributors to the llvm ecosystem on libfuzzer, ASan, and sancov have “shifted left” the field of fuzz testing from the hands of hackers and security auditors directly to CI/CD developers. Rather than waiting for an auditing gate, developers should be able to receive fuzz testing results directly from their build system: quickly, cheaply, and reliably without false positives. To this end, Microsoft is adopting this testing paradigm via continuous cloud-based fuzzing of dedicated test binaries.

Microsoft is currently fuzzing Windows continuously in Azure using libfuzzer and a fuzzing platform developed at Microsoft Research that we are releasing as Open Source at CppCon. Developers continuously building libfuzzer-based test binaries utilizing sanitizers and coverage instrumentation can now launch fuzzing jobs in the cloud with a single command line. This talk will introduce the framework and its capabilities including a live demo. Features include:

• Composable fuzzing workflows: Open Source allows users to onboard their own fuzzers, swap instrumentation, introduce corpora,
• Built-in ensemble fuzzing: By default, fuzzers work as a team that shares strengths, swapping inputs of interest between fuzzing technologies
• Programmatic triage & result deduplication: Get unique flaw cases that always reproduce
• On-demand live-debugging of found crashes: Summon a live debugging session on-demand or from your build system
• Observable & Debug-able: Transparent design allows introspection into every stage
• Detailed telemetry: Easily monitor all your fuzzing from ‘fuzztop’
• Fuzz on Windows & Linux OSes: Multi-platform by design
• Crash reporting notification callbacks: Currently supporting Microsoft Teams
• Code Coverage KPIs: Monitor your progress and motivate testing using code coverage as key metric