1. Project Springfield Fuzz your code before hackers do
BRK2287
Project Springfield Fuzz your code before hackers do
David Molnar

2. https://microsoft.com/springfield
Project Springfield

3. From Research to Customers
“Million dollar” bugs
Patrice Godefroid
William Blum
2007 : Patrice Godefroid and team invent “whitebox fuzzing” research for finding “million dollar bugs”
2009 : Whitebox fuzzing finds 1/3 of security input validation bugs in Windows 7 development
2013 : Whitebox fuzzing run at scale on multiple Microsoft products in on-premise machine labs
2015 : William Blum joins, leads engineering team for Azure cloud service “Project Springfield”
May 2015 : Cloud service live and first customer finds serious bugs with “Project Springfield”
2015 – 2016 : Continuous improvement working closely with under NDA customers and partners
September 2016 : “Project Springfield” opens for preview

4. Customer Obsession
Working with customers and partners from the beginning
Hear who they are and hear their stories now
Demo and tech explanation after

5. Mike Lemley, Senior Cyber Security Developer
Westin Kurlancheek, Sr. Software Engineer in Reliability

7. Chad Thunberg, Chief Operating Officer
Chad Larsen, Director of Technical Services

9. Leviathan 10 Year Old Company
Specialize in Risk Management and Information Security
Fortune 10 to Boutique
Leviathan clears the path to limitless innovation. We see security as extraordinary opportunity; seeing the unforeseen.

10. Our Passion
Mature practices not books of bugs
Leave behind enablement

11. Customer Challenges Lack specialized resources and scale
Security is a cost center
How do we operationalize security? *

12. Partnership Integration of powerful framework
Solves part of ‘Scarcity’
Distributes workload

13. Results Enablement (2 assessments) Continuous security (case study)
9 of 30 (30%)
3 of 24 (12.5%)
Continuous security (case study)
464 bugs in 18 months
21% effort savings

14. OSIsoft and Deschutes Brewery
Perfect example of benefits:
Ease of use
Speed
Coverage

16. Chad A. Holmes Principal, Cybersecurity
Ernst & Young LLP
Rishi Pande Sr. Manager, Cybersecurity
Ernst & Young LLP

17. Demo

19. Deeper dive

20. Springfield includes whitebox fuzzing
void top(char input[4]) {
int cnt = 0;
if (input[0] == ‘b’) cnt++;
if (input[1] == ‘a’) cnt++;
if (input[2] == ‘d’) cnt++;
if (input[3] == ‘!’) cnt++;
if (cnt >= 4) crash(); }
input = “good”
Gen 1
Path constraint:
bood
I0!=‘b’
 I0=‘b’
I1!=‘a’
 I1=‘a’
gaod
I2!=‘d’
 I2=‘d’
godd
I3!=‘!’
 I3=‘!’
goo!
Microsoft
constraint solver
good
Create new constraints to cover new paths
Solve new constraints  new inputs

21. Springfield includes whitebox fuzzing
void top(char input[4]) {
int cnt = 0;
if (input[0] == ‘b’) cnt++;
if (input[1] == ‘a’) cnt++;
if (input[2] == ‘d’) cnt++;
if (input[3] == ‘!’) cnt++;
if (cnt >= 4) crash(); }
input = “bad!”
input = “badd”
input = “baod”
input = “bood”
Gen 1 …
baod
Gen 2 …
badd
Gen 3
bad! …
Gen 4
Path constraint:
bood
I0!=‘b’
 I0=‘b’
I1!=‘a’
 I1=‘a’
gaod
I2!=‘d’
 I2=‘d’
godd
I3!=‘!’
 I3=‘!’
goo!
Create new constraints to cover new paths
Solve new constraints  new inputs
Whitebox fuzzing finds the crash!

22. OUR UNIQUE APPROACH PLATFORM INTELLIGENCE PARTNERS 11/20/2018 8:18 AM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. https://microsoft.com/springfield
Thank you! What’s next?
Meet the speakers!
Visit Springfield booth in Expo and meet the team!
Attend more Security sessions
Sign up for Project Springfield Preview at
BRK2239
Delight users and IT with modern identity experiences on Windows 10
BRK2130
Protect your business data using Windows Information Protection
BRK3138
Monitor actor groups and detect targeted attacks with Microsoft’s Hunter Team
BRK3293
Look under the hood: bypassing antimalware tactics and infrastructure response Methods
BRK2132
End the game for credential theft with Microsoft Windows 10
BRK4021
Discover Microsoft Windows 10 Internals

24. Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016
11/20/2018 8:18 AM
Free IT Pro resources To advance your career in cloud technology
Plan your career path
Microsoft IT Pro Career Center
Cloud role mapping
Expert advice on skills needed
Self-paced curriculum by cloud role
$300 Azure credits and extended trials
Pluralsight 3 month subscription (10 courses)
Phone support incident
Weekly short videos and insights from Microsoft’s leaders and engineers
Connect with community of peers and Microsoft experts
Get started with Azure
Microsoft IT Pro Cloud Essentials
Demos and how-to videos
Microsoft Mechanics
Connect with peers and experts
Microsoft Tech Community
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Please evaluate this session
11/20/2018 8:18 AM
Please evaluate this session
Your feedback is important to us!
From your PC or Tablet visit MyIgnite at
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. 11/20/2018 8:18 AM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.