Sunday, September 23, 2007

Microsoft Learns from the Fuzzing Lesson

Via ComputerWorld -

September 21, 2007 (Computerworld) -- A wave of attacks targeting Microsoft Corp.'s Office 2003 last year taught the company some tough security lessons it's now aggressively applying, a Microsoft software engineer said today.

"When Office 2003 shipped, we thought we'd done some good work and that it would be a secure product," said David LeBlanc, a senior software development engineer with the Office team. "For the first two years after release, it held up really well, only two bulletins. [But] then people shifted their tactics and started finding problems in fairly large numbers."

LeBlanc, one of the proponents of Microsoft's Security Development Lifecycle (SDL) initiative, and Michael Howard, the co-author of Writing Secure Code for Vista, referred to the spate of attacks in 2006 that exploited numerous vulnerabilities in Office 2003's file formats. The suite's core applications -- Word, Excel and PowerPoint -- were all patched multiple times last year.

"I can't gloss this over. You can look up the security bulletins that apply to Office 2003 yourself."

The attacks, and the flaws they exposed, not only prompted immediate patches -- and the release this week of Office 2003 Service Pack 3 (SP3) -- but pushed Microsoft to step up efforts to track down bugs before shipping code.

"We realized that fuzzing needed to be a much bigger part of what we did," said LeBlanc. "We were already on the road to doing that, but we had to do more of it, and get smarter at it."

"Fuzzing" is a process used by security researchers trolling for vulnerabilities and by developers looking for flaws in their code before it goes public. Armed with fuzzers -- automated tools that drop data into applications, file formats or operating system components to see if, and where, they fail -- programmers stress-test software. LeBlanc calls it "exercising the code."

Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom-built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3. Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom-built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3.

---------------------------------------

If you heard it once you have heard it a thousand times...fuzzing shouldn't work.

I agree that fuzzing shouldn't work and the truth is...it is starting to work less and less as vendors (like Microsoft) start to seriously "exercise their code" before release.

But fuzzing is far from dead. Security professionals have moved from randomly fuzzing parts of programs into fuzzing in a very smart & focused manner which exercises the entire codebase. New fuzzing frameworks are being released which are making fuzzing process accessible to the masses....or are at least bringing it closer to the masses.

Sadly, random fuzzing will continue to work for many years against certain groups of software. It will work against vendors that haven't "learned the fuzzing lesson" or other programs which aren't built with security as a focus (shareware, small development shops, etc).

Just look at the recent vulnerabilities which were uncovered via fuzzing...
(this is just a small smaple)

Aug 2007 - Opera & Mozilla: JS Fuzzer Finds Flaws in Browsers
July 2007 - ISE: iPhone / Safari Moblie Browser (PDF)
June 2007 - Errata Secuirty: Safari Browser Flaws
Nov 2006 - MoKB: Month of Kernel Bugs
July 2006 - MoBB: Month of Browser Bugs
June 2006 - Lorcon: 802.11 Fuzzing Finds Driver Flaws

No comments:

Post a Comment