Sunday, August 21, 2011

Microsoft Research Secures Windows with SAGE Fuzz Testing

News

Microsoft Research Secures Windows with SAGE Fuzz Testing

Most fuzz-testing tools use the blackbox approach of throwing random inputs at a program without knowledge of the code. For the last two years, Microsoft has used a whitebox fuzz-testing method developed by Microsoft Research to reduce security flaws in its Windows x86 software.


Most fuzz-testing tools use the blackbox approach of throwing random inputs at a program without knowledge of the code. For the last two years, Microsoft has used a whitebox testing method developed by Microsoft Research to reduce security flaws in its Windows x86 software.

The testing application, called "SAGE" (Scalable, Automated, Guided Execution) relies on symbolic execution based on the actual code to find flaws. SAGE is built on other Microsoft tools, including the iDNA trace recorder, the TruScan analysis engine and a Disolver constraint solver.

Microsoft's Windows security test team has been running SAGE nonstop on an average of 100 machines since 2009 to test "hundreds of applications" automatically. It's caught bugs that were missed in shipped software that had been tested by blackbox methods. For instance, SAGE early on detected more than 20 software flaws in shipped Windows applications, such as file decoders, image processors and media players, according to a Microsoft research paper (PDF).


Software flaws are expensive to chase, both for Microsoft and its customers, said Patrice Godefroid, a principal researcher at Microsoft Research, in a video report from last month's TOOLS conference in Switzerland. There are more than a billion Windows machines worldwide and SAGE is one way Microsoft has been working to reduce the number of security patches it issues each month, he added. One goal in using the tool is to eliminate buffer overflow problems in Microsoft's software, an old bug problem that continues to persist. SAGE is not currently available to the public.

"An exploitable buffer overflow can override a stack pointer or function pointer in a heap and you can hijack the execution of a process," Godefroid noted in the video.

"SAGE attempts to generate only those tests that exercise unique control paths in the program, thus maximizing the opportunity of finding defects," Microsoft explains in its SAGE description. "This contrasts with the approaches taken by existing fuzz-testing tools, which employ black-box techniques of randomly generating input data without any knowledge of the target program's code."

Microsoft's Windows security test team has been running SAGE nonstop on an average of 100 machines since 2009 to test "hundreds of applications" automatically. It's caught bugs that were missed in shipped software that had been tested by blackbox methods. For instance, SAGE early on detected more than 20 software flaws in shipped Windows applications, such as file decoders, image processors and media players, according to a Microsoft research paper (PDF).

Microsoft is still refining its SAGE tool, so it's a work in progress. The company has other measures in place, too, such as its "security development lifecycle" (SDL) approach that went company-wide as a process in 2004 and is available for use by other software developers. The SDL approach is designed to add security assurance to Microsoft's software build process, but its effectiveness recently has been questioned. Meanwhile, IT pros continue to grapple with Microsoft's monthly patch distributions, experiencing a light security update in July.

Industry-wide, there has been a general downward trend in application security vulnerabilities since 2006, according to Volume 10 of the Microsoft Security Intelligence Report.