BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Microsoft Previews Bug and Security Risk Detection on Windows and Linux

Microsoft Previews Bug and Security Risk Detection on Windows and Linux

This item in japanese

Microsoft has made available Project Springfield as an Azure service preview called Microsoft Security Risk Detection (MSRD) for detecting code bugs and security vulnerabilities in Windows and Linux applications.

While MSRD is advertised as a finder of security holes in code, it can be used to discover bugs too. It uses artificial intelligence to root out the causes of program crashes that might point to a security issue or a bug in the code. Microsoft has been using a part of the service on Windows, Office and other software since mid 2000s. The tool is also used by the Microsoft Security Development Lifecycle process which recommends testing at least those surface attacks that expose a data parser to untrusted data.

Customers willing to run MSRD on their software are offered a VM where they upload the binaries of the application to be tested and input data seed files. MSRD uses white-box fuzzing based on the data seed files provided to test the program, and reports the possible vulnerabilities found, offering information to developers to reproduce the problem. (More information on Fuzzing Basics can be found on this documentation page.)

MSRD can be used to fuzz the code of websites but with some limitations, not being able to discover cross-site scripting or request forgery vulnerabilities. Also, it can be used for managed code and Azure applications, but in the latter case the service won’t be able to access other Azure services as it usually happens with cloud applications.

Applications running on Windows Server 2008 R2 and Red Hat Linux are currently supported, with Linux under preview. Microsoft is also working on adding support for Windows 10 and Windows Server 2016. Microsoft intends to offer the Security Risk Detection tool through Microsoft Services later this fall.

Rate this Article

Adoption
Style

BT