Microsoft AI Tool Helps Devs Spot Bugs

Microsoft has launched what it claims to be one of the most sophisticated bug-hunting tools around, in a bid to help developers head off vulnerabilities in their Windows and Office apps.

Launched at Ignite this week, Project Springfield is a cloud-based service which uses “white box fuzz testing,” Redmond senior writer Alison Linn explained.

“It uses artificial intelligence to ask a series of ‘what if’ questions and make more sophisticated decisions about what might trigger a crash and signal a security concern,” she continued. “Each time it runs, it gathers data to hone in on the areas that are most critical. This more focused, intelligent approach makes it more likely that Project Springfield will find vulnerabilities other fuzzing tools might miss.”

It’s built on technology used by Microsoft internally to test products since the mid-2000s, dubbed Sage, and is bundled with other fuzz testing tools and a user-friendly dashboard ideal for those with a less technical background.

The code is tested in Azure and then delivered back to the customer to fix and then test again.

The tool was dubbed the “million-dollar bug-detector” by Microsoft internally because it helped the firm find serious vulnerabilities which would otherwise have cost the tech giant $1 million to reactively develop and deploy patches for.

“Those are the bugs that hackers will try to use,” said Patrice Godefroid, chief scientist behind Project Springfield. “The more we can find those bugs ourselves, the more we can fix them before we ship the software.”

By offering the tool to the wider developer community, Microsoft hopes it will help improve security all round.

It comes at a time when more vulnerabilities than ever are being discovered in software and exploited in cyber-attacks, but firms lack key skills such as fuzz testing, leading to demand for automated solutions, Microsoft claimed.

Secunia Research last year spotted over 16,000 vulnerabilities across more than 2400 products, with nearly 14% rated “extremely” or “highly” critical. Nearly a quarter (21%) of that total figure were found in Microsoft products.

What’s Hot on Infosecurity Magazine?