Redmondmag.com:
Microsoft Credits SAGE for Finding Software Security Flaws
- By Kurt Mackie
- 07/21/2011
Microsoft has been working to reduce security flaws in its Windows x86-based family of software products using an automated testing solution built by its own research group.
The testing application, called "SAGE" (Scalable, Automated, Guided Execution), has been deployed internally within Microsoft for the last two years, according to Patrice Godefroid, a principal researcher at Microsoft Research. It's not available for public use yet, he noted in a video report from last month's TOOLS conference in Switzerland, as published here.
SAGE is built on other Microsoft tools, including the iDNA trace recorder, the TruScan analysis engine and a Disolver constraint solver. However, it's described by Microsoft as a whitebox fuzz-testing tool.
Software flaws are expensive to chase, both for Microsoft and its customers, Godefroid explained. There are more than a billion Windows machines worldwide and SAGE is one way Microsoft has been working to reduce the number of security patches it issues each month, he added. One goal in using the tool is to eliminate buffer overflow problems in Microsoft's software, an old bug problem that continues to persist.
"An exploitable buffer overflow can override a stack pointer or function pointer in a heap and you can hijack the execution of a process," Godefroid noted in the video. [Read more]
posted by: gqjournal
Comments