Microsoft Credits SAGE for Finding Software Security Flaws

Microsoft has been working to reduce security flaws in its Windows x86-based family of software products using an automated testing solution built by its own research group.

The testing application, called "SAGE" (Scalable, Automated, Guided Execution), has been deployed internally within Microsoft for the last two years, according to Patrice Godefroid, a principal researcher at Microsoft Research. It's not available for public use yet, he noted in a video report from last month's TOOLS conference in Switzerland, as published here.

SAGE is built on other Microsoft tools, including the iDNA trace recorder, the TruScan analysis engine and a Disolver constraint solver. However, it's described by Microsoft as a whitebox fuzz-testing tool.

Software flaws are expensive to chase, both for Microsoft and its customers, Godefroid explained. There are more than a billion Windows machines worldwide and SAGE is one way Microsoft has been working to reduce the number of security patches it issues each month, he added. One goal in using the tool is to eliminate buffer overflow problems in Microsoft's software, an old bug problem that continues to persist.

"An exploitable buffer overflow can override a stack pointer or function pointer in a heap and you can hijack the execution of a process," Godefroid noted in the video.

Most fuzz-testing tools use the blackbox approach of throwing random inputs at a program. SAGE's whitebox testing method relies on symbolic execution based on the actual code to find flaws, so Microsoft sees it as a more efficient software testing method.

"SAGE attempts to generate only those tests that exercise unique control paths in the program, thus maximizing the opportunity of finding defects," Microsoft explains in its SAGE description. "This contrasts with the approaches taken by existing fuzz-testing tools, which employ black-box techniques of randomly generating input data without any knowledge of the target program's code."

Microsoft's Windows security test team has been running SAGE nonstop on an average of 100 machines since 2009 to test "hundreds of applications" automatically. It's caught bugs that were missed in shipped software that had been tested by blackbox methods. For instance, SAGE early on detected more than 20 software flaws in shipped Windows applications, such as file decoders, image processors and media players, according to a Microsoft research paper (PDF).

Microsoft is still refining its SAGE tool, so it's a work in progress. The company has other measures in place, too, such as its "security development lifecycle" (SDL) approach that went company-wide as a process in 2004 and is available for use by other software developers. The SDL approach is designed to add security assurance to Microsoft's software build process, but its effectiveness recently has been questioned. Meanwhile, IT pros continue to grapple with Microsoft's monthly patch distributions, experiencing a light security update in July.

Industry-wide, there has been a general downward trend in application security vulnerabilities since 2006, according to Volume 10 of the Microsoft Security Intelligence Report.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

  • Feature Update Deferral Mix-Up in Windows 10 Version 2004 Further Explained

    Microsoft last week described the confusion it is attempting to avoid by removing the client graphical user interface (GUI)-based controls to defer Windows 10 feature updates, starting with version 2004.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.