Job

A job is a single execution of the Security Risk Detection fuzzing workflow:

  • Against one target application

  • And one file format

  • For a set period of time (e.g., two weeks)

  • That produces a set of results – exceptions and crashes found in your code

How many jobs you can run depends on your job count – think of this like 'credits'. This will vary based on your Security Risk Detection subscription and usage.

Job Lifecycle

An individual job will normally proceed through three stages: preparation, validation, and fuzzing. Jobs in these states have respective statuses of preparing, validating, and fuzzing. Once fuzzing is done, the job status is complete. There are two additional statuses: expired and archived, explained below.

alt text

Preparing

This stage begins when you choose to “Create Job” from the account landing page in the user portal. A virtual machine known as the Customer VM is provisioned in Azure. This is where you'll upload and install your application binaries, corpus of seed files and, if required, a test harness.

You'll also need to use the Job Wizard that's on the Customer VM to configure the job and then submit it. This process is described in detail under How to Submit a Windows Fuzzing Job.

At the point you submit the job, your account's job credit is decremented by one, and the validation process begins.

Expired

A job expires, and its Customer VM is deleted, if it is not submitted within fourteen days of creation. This time limit is intended to minimize the under-use of Azure resources. There is no penalty for allowing a job to expire; please choose to delete it and create another.

Validating

Prior to fuzzing, your target application and seed files are analyzed. The minimization process kicks off, which in effect deduplicates your seed file corpus to obtain the minimal set that achieves the save coverage as the full set. This helps improve fuzzing efficiency.

Fuzzing

Once validation is complete, the job enters the fuzzing stage: several dozen virtual machines are provisioned, each a modified clone of the Customer VM. Specifically, each has an exact copy of the target application installed, and a modified set of seed files (based on the minimization performed during validation and a partitioning algorithm) along with a fuzzer from the Security Risk Detection fuzzer suite.

Once this provisioning is complete, each fuzzer on each VM starts up, and will run for the lifetime of the job, typically two weeks.

Complete

At the point the job's execution duration (typically two weeks) expires, the job is considered complete.

Stopped

At any point in the workflow, you can choose to stop the job. The job's status is updated to Stopped; however, other than the shortened runtime, the job in this state is otherwise identical to one that ran to completion: you can still download any results, and you may use the job as a template from which you can create other jobs.

Creating New or Cloned Jobs

As discussed above, a job is associated with a Customer VM, the virtual machine on which the target application is installed to be tested.

There are two ways to add new jobs to your account: create a new job or clone an existing job (stopped or completed).

Create a new job

The Customer VM will be a fresh install of the operating system (Windows or Linux), with only the Security Risk Detection application and some frameworks installed. You may install any software you'd like.

Clone an existing job

In the case, the Customer VM of your new job will be a duplicate of the Customer VM from another job in your account. That is, it will contain exactly the same target application and seed files tested in the other job. This can be a useful feature if the application you're testing is takes a large amount of time to install, or has significant dependencies (such as the installation and configuration of a database or other services).