This article in our series focused on Microsoft’s free security tools is on a tool called BinScope Binary Analyzer. This tool can be helpful for both developers and IT professionals that are auditing the security of applications that they are developing or deploying/managing.
I have often said that as long as humans write code, mistakes will be made. Some of those mistakes will lead to security vulnerabilities, and some of those vulnerabilities will be potentially exploitable. This view is supported by the long term trending data that we published earlier this year in a special edition of the Microsoft Security Intelligence Report called The evolution of malware and the threat landscape – a 10-year review. The figures from this report below are based on vulnerability disclosure data from the National Institute of Standards (NIST) National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management data.
Figure 1 (left): Industry-wide vulnerability disclosures since 2002; Figure 2 (right): Relative severity of vulnerabilities disclosed since 2002
Given the long term trend of thousands of vulnerability disclosures each year across the entire software industry, it behooves developers, IT professionals, and security professionals to closely evaluate the software they are developing and operating in their environments or plan to deploy in the future. Security mitigations that are built into Windows, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and others, can make it difficult or impossible for attackers to reliably exploit vulnerabilities that might be present in software. Determining if software in development is making use of these security mitigations is an important part of the development process and is a requirement in the Verification Phase of the Security Development Lifecycle (SDL). Auditing the software deployed in an environment and determining if it is making use of security mitigations can help risk managers make more meaningful assessments.
These are scenarios where the BinScope Binary Analyzer can help as it is a security tool that analyzes binaries to determine if they are leveraging specific security mitigations. Binscope has been used by teams at Microsoft for many years; developers and testers at Microsoft are required to use Binscope in the Verification Phase of the SDL to ensure that they have built their code using the compiler/linker protections required by the Microsoft SDL. Whether or not you or your organization uses the SDL, you can likely still benefit from the functionality of this tool.
The checks Binscope is capable of performing include:
As seen in the figure below, to perform these checks, simply specify the file you are interested in and the checks you want to run on it. If you have access to symbols for the binary and specify the directory or symbol server containing the private symbols, Binscope will be able to do more of the checks I mentioned earlier as it will have access to more of the information it needs to perform these checks. Developers can use the standalone version of this tool or a version that can be integrated into Visual Studio; this integration makes it easier to build code with these compiler/linker protections.
Figure: an example of the Binscope Binary Analyzer performing checks and reporting results
If you decide to use Binscope to check whether software in your environment is using these protections and discover some protections are not being used, you’ll then have some data to share with your development organization or the ISVs you procure software from. If the source code or a newer version of the software you want to enable protections on aren’t available, in some cases, a tool I wrote about earlier in this series of articles, called EMET, might be able to enable some of these protections without requiring a recompile or new version of the software.
Free resources to help:
- Binscope download: http://www.microsoft.com/en-us/download/details.aspx?id=11910
- Binscope overview video: http://msdn.microsoft.com/en-us/security/Video/gg675010
- Binscope demo video: http://technet.microsoft.com/en-us/video/Video/ff711044
Director, Trustworthy Computing
Read other parts of this series
Part 1: Microsoft’s Free Security Tools – Series Introduction
Part 2: Microsoft’s Free Security Tools – Attack Surface Analyzer
Part 3: Microsoft’s Free Security Tools – Enhanced Mitigation Experience Toolkit
Part 4: Microsoft’s Free Security Tools – BinScope Binary Analyzer