Microsoft security guru: Get fuzzing

Summary:Microsoft security whiz Michael Howard is urging developers in the Windows ecosystem to adopt fuzz testing as a critical part of the software creation process, stressing that the use of fuzzers can dramatically reduce the number of potential security vulnerabilities.

Orlando, Florida -- Microsoft security whiz Michael Howard is urging developers in the Windows ecosystem to adopt fuzz testing as a critical part of the software creation process, stressing that the use of fuzzers can dramatically reduce the number of potential security vulnerabilities.

Michael Howard

Howard, co-author of a book on Microsoft's mandatory SDL (Security Development Lifecycle), issued the call during a lively Q&A session with attendees at the TechEd 2007 conference here. "If you fuzz, your bug rates will drop pretty quickly. You'll get to a flat line quickly [of bugs found] very quickly, assuming you're fixing the bugs as you go along," Howard said.

"The bad guys are fuzzing [your products]. You should be fuzzing and finding those coding errors that be a security bug," he added.

Fuzzing is one of four elements in the "implementation" stage of the SDL and refers the use of structured but invalid inputs to software APIs to pinpoint errors and crashes. Since hackers are mastering the art of fuzzing to find security holes (HD Moore's Month of Browser Bugs was a public demo of the power of fuzzers), Howard suggests that software creators get familiar with the idea of using mangled data to trigger program crashes.

Howard, an outspoken blogger who once questioned the way Vista vulnerabilities are rated, used the talk to discuss the fallout from the animated cursor (.ani) attacks earlier this year and the defense-in-depth mitigations that helped protect Windows Vista users from the zero-day attacks.

Despite all the pen testing, code review, static analysis and fuzz testing efforts that went into Vista, Howard said everyone missed the animated cursor flaw -- and learned a valuable lesson on how critical things can fall through the cracks.

"One of the things we want our developers at Microsoft to understand is that you can't trust data. You need to understand what the bad guys can control and, if he can control a part of your code, what can he do with it. If he controls certain parts, that [can be] exploitable," Howard said.

In the aftermath of the attacks, Microsoft did a comprehensive review of the incident Howard dropped broad hints a few months ago about some major changes coming down the pike. Among the changes under consideration were additions to the list of banned API function calls, more aggressive checks for buffer overruns and enhancements to existing fuzz testing tools.

[ SEE: Microsoft mulling major changes to ward off .ANI-type flaws ]

At TechEd, Howard disclosed that the final recommendation to ban "memcpy" had been made. "I literally wrote that recommendation on the plane coming here. It's in the hands of the appropriate people and should go into effect later this year," Howard said.

His recommendation is to ban three API function calls -- memcpy, CopyMemory and RtlCopyMemory.

"We spend a lot of time understanding where the [security/hacker research] market is going and try to stay ahead of that. We're trying to think about what's happening next and that's why we do these root- cause analyses to figure out if there's a trend to what [vulnerabilities] people are finding."

Topics: Microsoft, Security, Software, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.