Two new free testing tools can help Windows programmers build better security into their C and C++ applications. The tools enable implementation of Microsoft's SDL (Security Development Lifecycle) process, for injecting security and privacy provisions into the development lifecycle as opposed to testing during pre- and post-deployment of an application. The tools are available for free download from the Microsoft download center.

Both tools provide easy integration with TFS 2008 and the SDL Process Template for VSTS 2008.

BinScope Binary Analyzer

BinScope Binary Analyzer integrates directly into the Visual Studio 2008 IDE. It analyzes binary code to validate adherence to SDL requirements for compilers and linkers. It also verifies use of strong-named assemblies and up-to-date build tools.

BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.

BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers). 

To download, see BinScope Binary Analyzer.

MiniFuzz File Fuzzer

MiniFuzz File Fuzzer is a Visual Studio 2008 add-in that implements the fuzz testing technique. Testers check application behavior by parsing files that have been deliberately corrupted. Security tests are applied to take code through different flow patterns and identify whether resulting crashes should be investigated as potential application security risks.

This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.

Other SDL Tools

Security Development Lifecycle team also provides:

  • SDL Threat Modeling Tool allows non-security subject matter experts (SMEs) to enter already known information, including business requirements and application architecture which can then produce a feature-rich threat model.
  • FxCop analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements .
  • SiteLock enables an ActiveX developer to restrict access to a control in a predetermined list of domains, or for a certain length of time.
  • Code Analysis for C/C++ (/analyze in Visual Studio) plows through source code one function at a time, and looks for C/C++ coding patterns and incorrect code usage that may indicate a programming error.
  • Anti-Cross Site Scripting (Anti-XSS) v3 BETA helps mitigate the potential of Cross-Site Scripting (XSS) attacks in Web-based applications.
  • Code Analysis Tool .NET (CAT.NET) v1 CTP helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
  • Banned.h supports the SDL requirement to remove banned functions from a code. It lists all banned APIs and allows any developer to locate them in a code.

For more information about these tools and paper, see Microsoft Security Development Lifecycle (SDL).

 

Bruce D. Kyle
ISV Architect Evangelist | Microsoft Corporation

cid:image010.png@01C9DEED.1FDB2200 cid:image011.png@01C9DEED.1FDB2200 cid:image012.gif@01C9DEED.1FDB2200 channel9