
Project Springfield – Microsoft’s service for finding security-critical bugs - iou
https://www.microsoft.com/en-us/springfield/
======
lancaster78
Dup (15 h):
[https://news.ycombinator.com/item?id=12583795](https://news.ycombinator.com/item?id=12583795)

------
huppriy
How's this respectable? Especially with regards to efforts such as
[https://googleprojectzero.blogspot.se/2016/06/a-year-of-
wind...](https://googleprojectzero.blogspot.se/2016/06/a-year-of-windows-
kernel-font-fuzzing-1_27.html)

It seems to me that either

    
    
        a) Microsoft can't possibly have fuzzed
        their code for the last 15 years

or

    
    
        b) their fuzzer is useless

~~~
zuzun
Microsoft has been doing fuzzing for years. They claim to "run the largest
fuzzing lab in the world". They incorporated their Z3 solver into their
fuzzer, which itself is an awesome piece of technology. What they do sounds
really cool and I'd say Microsoft Research is a big authority in the fuzzing
field.

[PDF] [http://research.microsoft.com/en-
us/um/people/pg/public_psfi...](http://research.microsoft.com/en-
us/um/people/pg/public_psfiles/SAGE-in-one-slide.pdf)

~~~
creshal
> Microsoft has been doing fuzzing for years.

Then why do we need to rely on Google to fuzz Windows' kernel?

~~~
zuzun
Obviously only Microsoft could explain why they missed these bugs. Maybe they
never fuzzed the font parsing parts of the Windows kernel (what a weird thing
to say). What I know is that the Project Zero people put a lot of effort into
this and they had a large font corpus and mutated inputs based on domain-
specific knowledge, maybe that was their key to success.

~~~
xorxornop
Also, there is selection bias at work here: we don't hear about all the stuff
that the Microsoft fuzzing team does find. And I bet it's a lot. There's no
real benefit to them to share their internal findings - it would effectively
just be handing 0-days to malware authors on a plate, after all, affecting all
users running older versions - and so we get this very skewed view.

------
aaronbrethorst
Very strange to me to see this codename reused:
[http://www.artima.com/forums/flat.jsp?forum=152&thread=20607...](http://www.artima.com/forums/flat.jsp?forum=152&thread=206079)

~~~
robert_tweed
Should have called it Project Shelbyville instead.

BTW, title should perhaps indicate this is a security-centric fuzzing tool.
Possibly a bigger deal than it might seem from the name.

