What’s the fuzz about? Microsoft unveils its latest security tool

Készült: 2017. október 11
Nyomtatás

Microsoft has added the ability to “fuzz” for a number of dangerous memory corruption flaws to its automated security testing service, Microsoft Security Risk Detection (MSRD).

Security fuzzing works by throwing huge amounts of random, unexpected data (fuzz) at an application in order to trigger exceptions and highlight security vulnerabilities.

Because it’s a “black box” technique, no access to source code is needed. The tester pokes and probes an application from the outside in the same way a hacker would, hoping to uncover weaknesses without a clear understanding of the application’s inner workings.

At the end, the tester gets to see precisely what state caused the problem.

However, fuzzing can be time-consuming, resource intensive and leave your development team chasing bugs that aren’t exploitable security vulnerabilities, so some developers skimp.

In 2015, Microsoft hatched its answer in the shape of Project Springfield, an Azure cloud testing service built around its own internal fuzzing tools with AI used to do the heavy lifting. Initially, this offered static source code analysis (examining code without running it), or “white box” fuzzing.

Now slowly emerging from beta as MSRD, the company keeps adding new capabilities, the latest of which is VulnScan, a tool that looks for five different types of memory corruption flaws using the black box approach.

This sounds a bit dry but a lot of security vulnerabilities have at their root these memory problems – buffer overflows being the obvious example – which fuzzing is good at finding. Adding this capability makes MSRD a lot more useful.

Do we know this kind of fuzzing works? And why the recent enthusiasm for it?

According to Microsoft UK’s Mateusz Krzywicki:

Over a 10-month period where VulnScan was used to triage all memory corruption issues for Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products. It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers.

Microsoft is so flush about this it even includes a breakdown of how it was used to get to the bottom of the Chakra memory corruption vulnerability (CVE-2017-0134), disclosed in March.

Google is also a fuzzing fan, earlier this year talking up the success of its OSS-Fuzz project, claiming to have found 264 vulnerabilities in 47 open source projects.

So it works, and being a black box technique it can work just as well for the bad guys as it does for the good ones. For development teams that have had “start fuzzing” on their to do list for a while the emergence of cloud-hosted fuzzing tools on Azure and Google Compute Engine is both a solution to the resources problem and a wake up call to get on with it.

We don’t know how much MSRD will cost when the wrapper comes off the beta, but I assume it won’t be cheap. There’s no doubt fuzzing could be a sizeable business for Microsoft, helped along by its support for Linux.

It’s as if Microsoft has come full circle from the dark days of 2004, an era when its under-estimation of Windows XP’s security nearly sank Windows. That led to the Security Development Lifecycle (SDL), which laid the foundations for the emerging world of security tools and testing solutions packaged into cloud services.

Microsoft is still not a security company exactly but the advent of cloud fuzzing and the MSRD might yet make it some money from an area that once caused it huge pain.


Source: Naked Security

Hozzászólások

Hacktivity 2014

Események

Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A frissítés nélkül hagyott szoftverek magas aránya még mindig aggodalomra ad okot

A Secunia biztonsági cég jelentése azt mutatja, hogy az Egyesült Államokban rengeteg frissítés nélküli szoftver

Önmegsemmisítő Facebook- és Twitter-üzeneteket és fotókat kínál a Dstrux

Egy cég, amely az üzleti dokumentumok biztonságba helyezésével foglalkozik, egy „Mission: Impossible” jellegű ö

Új titkosítási szabvány kerül bevezetésre az Apple-nél és a Google-nél

Az Apple azon bejelentésének nyomán, miszerint egy olyan fejlesztést eszközölnek az iOS8 operációs rendszerükön,

Az FBI igazgatója szerint az Anonymous veszélyesebb, mint az al-Kaida

Múlt héten rendezték meg San Franciscóban az RSA biztonsági konferenciát, ahol az FBI jelenlegi igazgatója, Robert Mueller

CEO vs. CISO, avagy a biztonság két szemüvegen keresztül

A vállalatok igazgatói továbbra is nagyon eltérően tekintenek a kockázatokra és a védelmi teendőkre, mint a biztonsági v

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ