Microsoft Credits SAGE for Finding Software Security Flaws

Microsoft has been working to reduce security flaws in its Windows x86-based family of software products using an automated testing solution built by its own research group.

The testing application, called "SAGE" (Scalable, Automated, Guided Execution), has been deployed internally within Microsoft for the last two years, according to Patrice Godefroid, a principal researcher at Microsoft Research. It's not available for public use yet, he noted in a video report from last month's TOOLS conference in Switzerland, as published here.

SAGE is built on other Microsoft tools, including the iDNA trace recorder, the TruScan analysis engine and a Disolver constraint solver. However, it's described by Microsoft as a whitebox fuzz-testing tool.

Software flaws are expensive to chase, both for Microsoft and its customers, Godefroid explained. There are more than a billion Windows machines worldwide and SAGE is one way Microsoft has been working to reduce the number of security patches it issues each month, he added. One goal in using the tool is to eliminate buffer overflow problems in Microsoft's software, an old bug problem that continues to persist.

"An exploitable buffer overflow can override a stack pointer or function pointer in a heap and you can hijack the execution of a process," Godefroid noted in the video.

Most fuzz-testing tools use the blackbox approach of throwing random inputs at a program. SAGE's whitebox testing method relies on symbolic execution based on the actual code to find flaws, so Microsoft sees it as a more efficient software testing method.

"SAGE attempts to generate only those tests that exercise unique control paths in the program, thus maximizing the opportunity of finding defects," Microsoft explains in its SAGE description. "This contrasts with the approaches taken by existing fuzz-testing tools, which employ black-box techniques of randomly generating input data without any knowledge of the target program's code."

Microsoft's Windows security test team has been running SAGE nonstop on an average of 100 machines since 2009 to test "hundreds of applications" automatically. It's caught bugs that were missed in shipped software that had been tested by blackbox methods. For instance, SAGE early on detected more than 20 software flaws in shipped Windows applications, such as file decoders, image processors and media players, according to a Microsoft research paper (PDF).

Microsoft is still refining its SAGE tool, so it's a work in progress. The company has other measures in place, too, such as its "security development lifecycle" (SDL) approach that went company-wide as a process in 2004 and is available for use by other software developers. The SDL approach is designed to add security assurance to Microsoft's software build process, but its effectiveness recently has been questioned. Meanwhile, IT pros continue to grapple with Microsoft's monthly patch distributions, experiencing a light security update in July.

Industry-wide, there has been a general downward trend in application security vulnerabilities since 2006, according to Volume 10 of the Microsoft Security Intelligence Report.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.