SDL Team Adds Test Tools to the SDL Tools Arsenel

Those of you that have been reading my blog a while know that part of my interest in security metrics is in trying to find ways to measure if Microsoft efforts to improve fundamental in security products is bearing fruit.  Central to the Microsoft efforts is the Security Development Lifecycle process.

One of the cool efforts that has been happening over the past couple of years is that the SDL team (read their blog!) has been taking tools and technology that was developed internally to support the Microsoft SDL process and releasing it, cost free, to the community so that the tools could be leveraged by all types of developers.  (I say “all types” and that’s true, though in some cases the tools either do more or were designed to work primarily with Visual Studio projects.  Tools like MiniFuzz, though, can be used to fuzz applications regardless of the development tools used.)

Today the SDL team are making available BinScope Binary Analyzer and MiniFuzz File Fuzzer as no cost downloads.

We put together a couple of demo videos also. You can find them on on this links (BinScope video, MiniFuzz video) or you can watched the embedded videos directly in this post below.

BinScope Binary Analyzer

The BinScope Binary Analyzer is an SDL-required security tool that has been used by Microsoft teams since the early days of the SDL. It analyzes your binaries for a wide variety of security protections with a very straightforward and easy-to-use interface. At Microsoft, developers and testers are required to use this tool in the Verification Phase of the SDL to ensure that they have built their code using the compiler/linker protections required by the Microsoft SDL.

The analyzer performs a diverse set of security checks. These checks include:

  • /GS flag is being set to detect stack-based buffer overflows
  • /SafeSEH flag is being set to enable and ensure safe exception handling
  • /NXCOMPAT flag is being set to enforce data execution prevention (NX)
  • /DYNAMICBASE flag is being set to enable Address Space Layout Randomization (ASLR)
  • .NET Strong-Named Assemblies are being used to ensure unique key pairs and strong integrity checks are in place
  • Known good ATL headers are being used
  • Up-to-date compiler and linker versions are being used (minimum Visual Studio 2005 SP2)
  • Reports on dangerous constructs that are prohibited/discouraged by the SDL (e.g. read/write shared sections, global function pointers).

Watch this video to get an overview and see a demonstration of BinScope in action:

MiniFuzz File Fuzzer

The MiniFuzz File Fuzzer is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their software development processes. A less capable and non-graphical version of this tool was originally published on the CD that came with the book The Security Development Lifecycle by Steve Lipner and Michael Howard. Since that tool was effective at finding quality bugs, we wanted to offer it more widely along with our other SDL tools, improve the user experience, and provide integration with Visual Studio and Team foundation Server.

Because we have found fuzzing to be effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of the MiniFuzz File Fuzzer, we have made a simple file fuzzer available to assist developer efforts to find and address more security bugs in code before it ships to customers. Simply provide the tool with a set of correctly formed files to serve as templates, and it will generate corrupted versions for testing. The effectiveness of fuzz testing can be increased by providing more variation in the template files.

Watch this video to get an overview and see a demonstration of BinScope in action:

Resources and Other Information

These tools are not the first ones that the SDL team has made available.  Check out the SDL Tools Repository to download BinScope Binary Analyzer and MiniFuzz File Fuzzer, as well as other tools like FxCop, the SDL Process Template for Visual Studio Team System, the SDL Threat Modeling tool, CAT.NET and the Anti-XSS library.

Best regards ~ Jeff

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »