14 DAY TRIAL // Yesterday I was telling you that Microsoft released MiniFuzz to its Download Center, making the tool available for free to third-party software developers. However, the fuzzing solution MiniFuzz is just a part of the latest initiative from the Redmond company designed to allow non-Microsoft developers to adhere to its high standards of security via the Software Development Lifecycle. In this regard, the software giant also announced the availability of the BinScope Binary Analyzer. Essentially, according to Jeremy Dallman, security program manager, Security Development Lifecycle Team, MiniFuzz and the BinScope Binary Analyzer are designed to be used in tandem in order to ensure that software meets the key requirements of SDL.
“The BinScope Binary Analyzer is an SDL-required security tool that has been used by Microsoft teams since the early days of the SDL. It analyzes your binaries for a wide variety of security protections with a very straightforward and easy-to-use interface. At Microsoft, developers and testers are required to use this tool in the Verification Phase of the SDL to ensure that they have built their code using the compiler/linker protections required by the Microsoft SDL,” Dallman noted.
Both the MiniFuzz fuzz tester and the BinScope Binary Analyzer are up for grabs at no charge at all from the Microsoft Download Center. The two free security tools made available by the Microsoft SDL team are designed to help third-party developers secure their applications. Microsoft has said time and again that it has witnessed a transition of the threat landscape from Windows-centric attacks to exploits of vulnerabilities and poorly written code in non-Microsoft programs. According to the software giant, the tool is designed to play nice with Windows 7, Windows Vista, and Windows XP.
“The analyzer performs a diverse set of security checks. These checks include: /GS flag is being set to detect stack-based buffer overflows; /SafeSEH flag is being set to enable and ensure safe exception handling; /NXCOMPAT flag is being set to enforce data execution prevention (NX); /DYNAMICBASE flag is being set to enable Address Space Layout Randomization (ASLR); .NET Strong-Named Assemblies are being used to ensure unique key pairs and strong integrity checks are in place; Known good ATL headers are being used; Up-to-date compiler and linker versions are being used (minimum Visual Studio 2005 SP2); reports on dangerous constructs that are prohibited/discouraged by the SDL (e.g. read/write shared sections, global function pointers),” Dallman explained.
BinScope Binary Analyzer is available for download here.
MiniFuzz is available for download here.