BT

Microsoft Previews Bug and Security Risk Detection on Windows and Linux

| by Abel Avram Follow 9 Followers on Jul 22, 2017. Estimated reading time: 1 minute |

Microsoft has made available Project Springfield as an Azure service preview called Microsoft Security Risk Detection (MSRD) for detecting code bugs and security vulnerabilities in Windows and Linux applications.

While MSRD is advertised as a finder of security holes in code, it can be used to discover bugs too. It uses artificial intelligence to root out the causes of program crashes that might point to a security issue or a bug in the code. Microsoft has been using a part of the service on Windows, Office and other software since mid 2000s. The tool is also used by the Microsoft Security Development Lifecycle process which recommends testing at least those surface attacks that expose a data parser to untrusted data.

Customers willing to run MSRD on their software are offered a VM where they upload the binaries of the application to be tested and input data seed files. MSRD uses white-box fuzzing based on the data seed files provided to test the program, and reports the possible vulnerabilities found, offering information to developers to reproduce the problem. (More information on Fuzzing Basics can be found on this documentation page.)

MSRD can be used to fuzz the code of websites but with some limitations, not being able to discover cross-site scripting or request forgery vulnerabilities. Also, it can be used for managed code and Azure applications, but in the latter case the service won’t be able to access other Azure services as it usually happens with cloud applications.

Applications running on Windows Server 2008 R2 and Red Hat Linux are currently supported, with Linux under preview. Microsoft is also working on adding support for Windows 10 and Windows Server 2016. Microsoft intends to offer the Security Risk Detection tool through Microsoft Services later this fall.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT