Free Microsoft tools for detecting security problems
Two tools, BinScope and MiniFuzz, for detecting security holes in applications are now available to developers – free from Microsoft. The BinScope Binary Analyzer checks binary code to establish whether all the recommended and required security flags (/GS, /SafeSEH and more), protective mechanisms (for example /DYNAMICBASE for ALSR) and controls have been included, or activated, in a program. While with the MiniFuzz File Fuzzer, developers can test their applications for unexpected behaviour and establish early in the development cycle whether problems like program crashes need to be investigated for potential security risks. The basic fuzzing principles are explained in a feature article titled "Data salad" in The H Security.
Microsoft has used both tools within its Security Development Lifecycle (SDL) for quite some time. For instance, BinScope analysis and MinuFuzz fuzzer testing is mandatory during the SDL product verification phase. The tools are available as stand-alone applications or they can be integrated into Visual Studio 2008. Microsoft has released short video demos of BinScope and MiniFuzz on its TechNet pages.
An additional short tutorial (direct .docx download) explains how to integrate the "SDL Process Template for Visual Studio Team System" into Visual Studio, and provides details on how to use it. The SDL Process Template was released last May.
See also:
- Microsoft releases free tool for secure software development, a report from The H.
- Version 3 of Microsoft's Threat Modelling Tool released, a report from The H.
(crve)