News

Microsoft Credits SAGE for Finding Software Security Flaws

• By Kurt Mackie
• 07/21/2011

Microsoft has been working to reduce security flaws in its Windows x86-based family of software products using an automated testing solution built by its own research group.

The testing application, called "SAGE" (Scalable, Automated, Guided Execution), has been deployed internally within Microsoft for the last two years, according to Patrice Godefroid, a principal researcher at Microsoft Research. It's not available for public use yet, he noted in a video report from last month's TOOLS conference in Switzerland, as published here.

SAGE is built on other Microsoft tools, including the iDNA trace recorder, the TruScan analysis engine and a Disolver constraint solver. However, it's described by Microsoft as a whitebox fuzz-testing tool.

Software flaws are expensive to chase, both for Microsoft and its customers, Godefroid explained. There are more than a billion Windows machines worldwide and SAGE is one way Microsoft has been working to reduce the number of security patches it issues each month, he added. One goal in using the tool is to eliminate buffer overflow problems in Microsoft's software, an old bug problem that continues to persist.

"An exploitable buffer overflow can override a stack pointer or function pointer in a heap and you can hijack the execution of a process," Godefroid noted in the video.

Most fuzz-testing tools use the blackbox approach of throwing random inputs at a program. SAGE's whitebox testing method relies on symbolic execution based on the actual code to find flaws, so Microsoft sees it as a more efficient software testing method.

"SAGE attempts to generate only those tests that exercise unique control paths in the program, thus maximizing the opportunity of finding defects," Microsoft explains in its SAGE description. "This contrasts with the approaches taken by existing fuzz-testing tools, which employ black-box techniques of randomly generating input data without any knowledge of the target program's code."

Microsoft's Windows security test team has been running SAGE nonstop on an average of 100 machines since 2009 to test "hundreds of applications" automatically. It's caught bugs that were missed in shipped software that had been tested by blackbox methods. For instance, SAGE early on detected more than 20 software flaws in shipped Windows applications, such as file decoders, image processors and media players, according to a Microsoft research paper (PDF).

Microsoft is still refining its SAGE tool, so it's a work in progress. The company has other measures in place, too, such as its "security development lifecycle" (SDL) approach that went company-wide as a process in 2004 and is available for use by other software developers. The SDL approach is designed to add security assurance to Microsoft's software build process, but its effectiveness recently has been questioned. Meanwhile, IT pros continue to grapple with Microsoft's monthly patch distributions, experiencing a light security update in July.

Industry-wide, there has been a general downward trend in application security vulnerabilities since 2006, according to Volume 10 of the Microsoft Security Intelligence Report.