Find “million-dollar bugs” with Microsoft’s Project Springfield detector
Patch Windows and Office application vulnerabilities before they’re released
Microsoft is set to preview a tool to help developers find potentially serious bugs in its Windows and Office applications.
Redmond has used the cloud-based Project Springfield since the mid-2000s to spot bugs in its software code, but believes it could save developers a lot of money by letting them use the tool as well.
Calling it the “million-dollar bug detector” in a blog post, Microsoft said the security tool allows developers to test software for bugs before releasing it publically, when the cost of patching some bugs could be as high as $1 million if the software is widely-used.
“Those are the bugs that hackers will try to use,” said Patrice Godefroid, a principal researcher at Microsoft and chief scientist of Project Springfield. “The more we can find those bugs ourselves, the more we can fix them before we ship the software.”
The company has already tested Project Springfield with a small number of customers using smaller-scale applications than Windows and Office, and has been using one of the project’s key elements, SAGE, for around a decade itself.
When Microsoft ran SAGE on a pre-production version of Windows 7, it found a number of vulnerabilities other security tools had missed, eventually discovering one-third of all the bugs in Windows 7 that Redmond patched before release.
“There aren’t a lot of tools that can do what SAGE does,” said Mark Wodrich, a senior security engineer with Windows Defender Advanced Threat Protection.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
Project Springfield focuses on fuzz testing, where software is checked for backdoors and holes a hacker could exploit to crash the system or launch malware, making it the ideal way to test software to which a lot of users can upload documents and files that might be unsafe.
Specifically, it uses an AI system to ask ‘what if’ questions about possible backdoors and security holes, to make better decisions about what might cause a crash or become a security concern.
Because Springfield runs in Azure, developers don’t need to set up their own infrastructure to run tests. Instead, the tool securely delivers the results to the developers so they can fix any bugs it’s found.
“It’s very simple to use – it’s ‘fire and forget,’” said Gavin Thomas, a principal security software engineering manager with the Microsoft Security Response Center. “You set it up and you walk away.”
Microsoft hopes their customers who lack security engineers or security know-how will find the tool useful at a time when hackers regularly exploit security holes to cause data breaches.
The company has announced a preview of Project Springfield that people can sign up to, though there are no details yet on when it will become widely available.