Microsoft Credits SAGE for Finding Software Security Flaws

Microsoft has been working to reduce security flaws in its Windows x86-based family of software products using an automated testing solution built by its own research group.

The testing application, called "SAGE" (Scalable, Automated, Guided Execution), has been deployed internally within Microsoft for the last two years, according to Patrice Godefroid, a principal researcher at Microsoft Research. It's not available for public use yet, he noted in a video report from last month's TOOLS conference in Switzerland, as published here.

SAGE is built on other Microsoft tools, including the iDNA trace recorder, the TruScan analysis engine and a Disolver constraint solver. However, it's described by Microsoft as a whitebox fuzz-testing tool.

Software flaws are expensive to chase, both for Microsoft and its customers, Godefroid explained. There are more than a billion Windows machines worldwide and SAGE is one way Microsoft has been working to reduce the number of security patches it issues each month, he added. One goal in using the tool is to eliminate buffer overflow problems in Microsoft's software, an old bug problem that continues to persist.

"An exploitable buffer overflow can override a stack pointer or function pointer in a heap and you can hijack the execution of a process," Godefroid noted in the video.

Most fuzz-testing tools use the blackbox approach of throwing random inputs at a program. SAGE's whitebox testing method relies on symbolic execution based on the actual code to find flaws, so Microsoft sees it as a more efficient software testing method.

"SAGE attempts to generate only those tests that exercise unique control paths in the program, thus maximizing the opportunity of finding defects," Microsoft explains in its SAGE description. "This contrasts with the approaches taken by existing fuzz-testing tools, which employ black-box techniques of randomly generating input data without any knowledge of the target program's code."

Microsoft's Windows security test team has been running SAGE nonstop on an average of 100 machines since 2009 to test "hundreds of applications" automatically. It's caught bugs that were missed in shipped software that had been tested by blackbox methods. For instance, SAGE early on detected more than 20 software flaws in shipped Windows applications, such as file decoders, image processors and media players, according to a Microsoft research paper (PDF).

Microsoft is still refining its SAGE tool, so it's a work in progress. The company has other measures in place, too, such as its "security development lifecycle" (SDL) approach that went company-wide as a process in 2004 and is available for use by other software developers. The SDL approach is designed to add security assurance to Microsoft's software build process, but its effectiveness recently has been questioned. Meanwhile, IT pros continue to grapple with Microsoft's monthly patch distributions, experiencing a light security update in July.

Industry-wide, there has been a general downward trend in application security vulnerabilities since 2006, according to Volume 10 of the Microsoft Security Intelligence Report.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

  • Microsoft Offers 1 Year of Free Windows 7 Extended Security Updates to E5 Licensees

    Microsoft is offering one year of free support under its Extended Security Updates program to Windows 7 users if their organizations have E5 licensing.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.