Microsoft Previews Bug and Security Risk Detection on Windows and Linux

[Batu69]

Microsoft has made available Project Springfield as an Azure service preview called Microsoft Security Risk Detection (MSRD) for detecting code bugs and security vulnerabilities in Windows and Linux applications.

 

While MSRD is advertised as a finder of security holes in code, it can be used to discover bugs too. It uses artificial intelligence to root out the causes of program crashes that might point to a security issue or a bug in the code. Microsoft has been using a part of the service on Windows, Office and other software since mid 2000s. The tool is also used by the Microsoft Security Development Lifecycle process which recommends testing at least those surface attacks that expose a data parser to untrusted data.

 

Customers willing to run MSRD on their software are offered a VM where they upload the binaries of the application to be tested and input data seed files. MSRD uses white-box fuzzing based on the data seed files provided to test the program, and reports the possible vulnerabilities found, offering information to developers to reproduce the problem. (More information on Fuzzing Basics can be found on this documentation page.)

 

MSRD can be used to fuzz the code of websites but with some limitations, not being able to discover cross-site scripting or request forgery vulnerabilities. Also, it can be used for managed code and Azure applications, but in the latter case the service won’t be able to access other Azure services as it usually happens with cloud applications.

 

Applications running on Windows Server 2008 R2 and Red Hat Linux are currently supported, with Linux under preview. Microsoft is also working on adding support for Windows 10 and Windows Server 2016. Microsoft intends to offer the Security Risk Detection tool through Microsoft Services later this fall.

 

Article source

[Holmes]

I read about something similiar to this with mozilla or google I remember CLIP from microsoft I dont think that is it.