Microsoft’s Project Springfield is a new cloud-based bug detector

Mark Coppock

Project Springfield Featured

Identifying security vulnerabilities in software is an important aspect of quality control. The numerous recent examples of massive data breaches of personal information are a testament to the important of enhancing cloud security. Given Microsoft’s transition to the “cloud-first, mobile-first” productivity solutions company, security has thus been placed front and center.

David Molnar and Patrice Godefroid at Microsoft's Redmond, Washington, headquarters
Project Springfield researchers David Molnar (left) and Patrice Godefroid (right).

Today, Microsoft announced over at the official Microsoft blog the availability of a preview of a new cloud-based bug detector codenamed Project Springfield. The stakes are high, as Microsoft indicates:

Microsoft is making available to its customers one of the most sophisticated tools it has for rooting out potential security vulnerabilities in software including Windows, Office and other products.

The offering is code named Project Springfield, and up until now, the team that built it has thought of it as the million-dollar bug detector.

That’s because every time the system finds a potentially serious bug proactively, before a piece of software is released, it is saving a developer the costly effort of having to release a patch reactively, once the product is already public. With widely used software such as an operating system or productivity suite, deploying those patches can cost as much as $1 million, the researchers say.

Project Springfield includes technology that Microsoft has been using since the mid-2000’s, specifically the SAGE tool for conducting what’s called “fuzz testing.” But Project Springfield goes farther in finding errors in code:

Broadly speaking, fuzz testing works like this: The system throws random, unexpected inputs at a piece of software to look for instances in which those unforeseen actions cause the software to crash, signaling a security vulnerability.

Project Springfield builds on that idea with what it calls “white box fuzz testing.” It uses artificial intelligence to ask a series of “what if” questions and make more sophisticated decisions about what might trigger a crash and signal a security concern. Each time it runs, it gathers data to hone in on the areas that are most critical. This more focused, intelligent approach makes it more likely that Project Springfield will find vulnerabilities other fuzzing tools might miss.

Now, Microsoft is combining SAGE with other fuzz testing resources and adding in a dashboard to make the tools more accessible to users who are not necessarily security experts. Project Springfield runs on Azure as a cloud-based systems, providing data-center-scale resources to individual clients.

One of Microsoft’s goals with Project Springfield is shared by researchers across the company:

Project Springfield also has been developed at a time in which Microsoft researchers are getting more aggressive about quickly translating their groundbreaking research into tools customers can use.

With Project Springfield, Peter Lee, the corporate vice president in charge of Microsoft Research’s New Experiences and Technologies organization, said the team was determined to make sure it was “literally rubbing elbows” with the clients who were participating in an early preview of the system, having regular, face-to-face meetings to make sure it would meet their security needs.

“I actually view it as a collaboration,” he said. “In my mind, we’re doing the research together.”

You can learn more about Project Springfield, including organizations that are using the new technology, at the blog post. In the meantime, let us know in the comments below if this kind of cloud-based tool is a valuable next step in making software more secure and bug-free.