Microsoft releases tools exposing software security vulnerabilities

The tools, BinScope and MiniFuzz are part of Microsoft’s Security Development Lifecycle (SDL) and can be used at the validation stage of software development. The aim is to remove potential security problems before software is shipped.

Steve Lipner, senior director of security engineering at Microsoft’s Trustworthy Computing Group, told Infosecurity: “BinScope is a developer tool – it’s aimed at helping developers or development organisations build secure software that can be used in secure IT environments. Using BinScope is mandatory for essentially all software that Microsoft ships.”

It checks that flags such as /GS, /SafeSEH, /NXCOMPAT, and /DYNAMICBASE are set, that strong-named assemblies are being used, up-to-date complier and linker versions are being used, and that good ATL headers are applied.

Lipner said following some security vulnerability reports over the summer, Microsoft not only published security updates to the software in question, but also looked at how to avoid such problems for the future, imposing new requirements through the SDL.

“We also released the guidance to external customers and we updated the BinScope tool so that if a developer tester runs BinScope on binaries before a product is released, it will verify that that binary was built with the new safe ATL headers”, Lipner told Infosecurity.

MiniFuzz, on the other hand, is a file fuzzer, which means you corrupt valid input data, run them against an application and report the bugs.

“It’s simple, lightweight and basic, but it’s also very effective for finding security vulnerabilities in programmes that process input files”, Lipner said.

Both BinScope and MiniFuzz can be run as stand-alone products or as part of Microsoft Visual Studio.

Lipner also said Microsoft is releasing a white paper, Manual Integration of the SDL Process Template, which tells developers using their own templates how to take the SDL template apart and then integrate it with their own process templates.

“We think that these releases will be very helpful to organisations in applying SDL to their environments and thus developing more secure code”, Lipner said.

Asked whether releasing this information could compromise application security, Lipner said that as long as the good guys have the tools before the bad guys, the baddies won’t have anything to find.

Furthermore, BinScope requires that the user has the development symbols for the application: “If you’re not the developer, you cannot use BinScope to find vulnerabilities in a piece of software because you have to have the development symbols that are an artefact of the fact that you built that software”, Lipner added.

What’s Hot on Infosecurity Magazine?