Fuzzing detected 1600 Office 2010 bugs during development

Stephen Withers
Thursday, 15 July 2010 16:37

Business IT - Security

A technique popular among security researchers has detected thousands of bugs in Microsoft software while still in the development phase.

The idea of file fuzzing to identify potential vulnerabilities is simple: you make a random alteration to a 'good' file then open it in the application of interest. The application should either open the document (because it is still well formed even though the data has changed), or display an error because the file is now incorrectly structured.

If the application crashes, it means the code hasn't correctly validated the contents of the file and something has gone wrong, perhaps because some part of the data has overwritten other values in memory.

Microsoft's current practice is to 100,000 iterations on a "representative set" of template files, said Lars Opstad, principal security group manager, science, at Microsoft's Security Engineering Center, though more or less may be required.

Vista and Windows 7 were both fuzzed by Microsoft, and around 300 bugs were fixed in each as a result. The difference was that the 250 file parsers in Vista went through 350 million iterations, while the 300+ parsers in Windows 7 were subjected to more than 3 billion.

The Vista experience was that there was a high return on investment from carrying out up to 500,000 iterations, at that carrying out at least 250,000 iterations after the last new bug was detected would catch 92% of parsers with bugs.

But effective fuzzing isn't quite that simple. See page 2.