Two New Security Tools for your SDL tool belt (Bonus: a “7-easy-steps” whitepaper)

Jeremy Dallman here to announce the release of two new security tools that will help you test and verify the security of your software – and meet some of the most critical requirements of the SDL. In addition, we are responding to customer requests and providing a basic 7-step guide for manually integrating key elements of the SDL Process Template into your existing Visual Studio Team System project.

As secure coding becomes an increasingly important piece of software development across the industry, we realize that security tools become a critical piece of your “security tool belt” and help ease adoption of security development best practices in your organization. In today’s economy, the tools that will get deployed are the inexpensive (or free) tools that effectively identify security issues, work seamlessly with your existing development environment and help teams implement the basics of the SDL.

Today we are making available BinScope Binary Analyzer and MiniFuzz File Fuzzer as no cost downloads.

We put together a couple of demo videos also. You can find them here: BinScope video & MiniFuzz video.

Let me briefly introduce you to each of these tools and explain why we think they are ideal tools to download and immediately include in your development lifecycle to verify the security of your code.

BinScope Binary Analyzer

What it does

The BinScope Binary Analyzer is an SDL-required security tool that has been used by Microsoft teams since the early days of the SDL. It analyzes your binaries for a wide variety of security protections with a very straightforward and easy-to-use interface. At Microsoft, developers and testers are required to use this tool in the Verification Phase of the SDL to ensure that they have built their code using the compiler/linker protections required by the Microsoft SDL.

The analyzer performs a diverse set of security checks. These checks include:

  • /GS flag is being set to detect stack-based buffer overflows
  • /SafeSEH flag is being set to enable and ensure safe exception handling
  • /NXCOMPAT flag is being set to enforce data execution prevention (NX)
  • /DYNAMICBASE flag is being set to enable Address Space Layout Randomization (ASLR)
  • .NET Strong-Named Assemblies are being used to ensure unique key pairs and strong integrity checks are in place
  • Known good ATL headers are being used
  • Up-to-date compiler and linker versions are being used (minimum Visual Studio 2005 SP2)
  • Reports on dangerous constructs that are prohibited/discouraged by the SDL (e.g. read/write shared sections, global function pointers).
How you use it

The BinScope Binary Analyzer can be downloaded as a standalone tool or as a tool that can be integrated into Visual Studio 2008. By offering these two options, this tool can easily and quickly help you build your code to meet the SDL compiler/linker protections.

clip_image002

(Figure above: stand-alone BinScope)

clip_image004

(Figure above: BinScope integrated in Visual Studio)

Extra Goodness

With an integrated installation of the BinScope Binary Analyzer for Visual Studio, validation is readily available in the development environment. In addition, BinScope integrates with Microsoft Team Foundation Server (TFS) to output results into work items. Finally, if your project is using the Microsoft SDL Process Template for VSTS, BinScope will seamlessly integrate with the template’s security work items and SDL Final Security Review reporting.

clip_image006

(Figure above: Easy output to TFS to create bugs and speed triage)

clip_image008

(Figure above: Seamless integration with the SDL Process Template reporting)

MiniFuzz File Fuzzer

What it does

The MiniFuzz File Fuzzer is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their software development processes. A less capable and non-graphical version of this tool was originally published on the CD that came with the book The Security Development Lifecycle by Steve Lipner and Michael Howard. Since that tool was effective at finding quality bugs, we wanted to offer it more widely along with our other SDL tools, improve the user experience, and provide integration with Visual Studio and Team foundation Server.

Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of the MiniFuzz File Fuzzer, we have made a simple file fuzzer available to assist developer efforts to find and address more security bugs in code before it ships to customers. Simply provide the tool with a set of correctly formed files to serve as templates, and it will generate corrupted versions for testing. The effectiveness of fuzz testing can be increased by providing more variation in the template files.

clip_image010
How you use it

When you install the MiniFuzz File Fuzzer, it is provided as a stand-alone fuzzing tool that can be launched from your Start Menu. However, if you are using Visual Studio 2008, you can easily include the tool in Visual Studio as an Add-in Tool and launch it from there. In addition, the tool can also output to Team Foundation Server and integrate with the Microsoft SDL Process Template for Visual Studio Team System similar to the BinScope Binary Analyzer.

Whitepaper: Manually Integrating the SDL Process Template

The whitepaper can be downloaded here

After a successful release of the SDL Process Template for VSTS, we heard from some customers that they would like to include the key elements of the SDL into their existing team project. So, we figured out how to do that in 7 easy steps and wrote a whitepaper! This paper outlines the steps for manually extracting the key elements of the SDL Process Template and integrating them into an existing Visual Studio 2008 team project. By completing each of these manual steps, you can include the key elements of the SDL into your project without waiting until you start or build your next team project.

~~~~~~~~~~~~~~~~

That’s a lot of news for one day, but I hope you are as excited as we are to be releasing these tools and making it possible for more development teams to write secure code and adopt the SDL. We welcome your comments and questions as you download and begin using these tools!

[edited: 9/16/09 11AM – added links to videos]

Join the conversation

1 comments
  1. Anonymous

    Hi, can someone explain why binScope reports "ATLVersionCheck (Fail)" message?  It is a very simple MFC based application. The message only happens with release executable. I am using MSDEVStuido2008 with SP1. Here are the ATLVersinCheck details with release version fail and debug version pass. Both are using same ATL header files.  Should I ignore the release version check failure message?

    M:projsrctestmfctestReleasemfctest.exe – ATLVersionCheck ( FAIL )

    Information :

    c:program filesmicrosoft visual studio 9.0vcatlmfcincludeatlcomcli.h – IGNORING (No hash, part of pre-compiled headers in stdafx.obj)

    c:program filesmicrosoft visual studio 9.0vcatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    c:program filesmicrosoft visual studio 9.0vcatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcom.h – KNOWN GOOD (Hash CF-5C-48-69-8E-40-F1-E0-76-8D-9E-C5-BD-83-14-3A)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcomcli.h – UNKNOWN (Hash not available)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcom.h – UNKNOWN (Hash not available)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcomcli.h – IGNORING (No hash, part of pre-compiled headers in stdafx.obj)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcom.h – IGNORING (No hash, part of pre-compiled headers in stdafx.obj)

    M:projsrctestmfctestDebugmfctest.exe – ATLVersionCheck ( PASS )

    Information :

    c:program filesmicrosoft visual studio 9.0vcatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    c:program filesmicrosoft visual studio 9.0vcatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    c:program filesmicrosoft visual studio 9.0vcatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcom.h – KNOWN GOOD (Hash CF-5C-48-69-8E-40-F1-E0-76-8D-9E-C5-BD-83-14-3A)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcomcli.h – KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcom.h – KNOWN GOOD (Hash CF-5C-48-69-8E-40-F1-E0-76-8D-9E-C5-BD-83-14-3A)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcomcli.h – IGNORING (No hash, part of pre-compiled headers in stdafx.obj)

    f:ddvctoolsvc7libsshipatlmfcincludeatlcom.h – IGNORING (No hash, part of pre-compiled headers in stdafx.obj)

Comments are closed.