In the more than nine years since Bill Gates’s Trustworthy Computing email kicked off Microsoft’s comprehensive, company-wide security initiative, the company has not only committed a tremendous amount of money and resources to the project but also has been quite open and public about the process. This week, Microsoft released its first major report on the progress and changes in the Security Development Lifecycle program, detailing not only its progress but also the things that still need to be improved.
The SDL Progress Report, which Microsoft released Wednesday, lays out the history of the Trustworthy Computing program, from Gates’s memo up through the current efforts. One major section of the report details the major exploit mitigation tactics, such as DEP (data execution prevention), ASLR (address space layout randomization), GS and others, that Microsoft has implemented in many of its products in the last few years in attempt to lessen the effect and exploitability of certain classes of vulnerabilities. Many of these mitigations have been included in Windows and other Microsoft applications for some time, but in order for them to be fully effective in preventing exploits, they also need to be implemented in other commercial software.
As part of the SDL report Microsoft looked at more than 40 popular applications and found that there are still quite a number of apps that either haven’t implemented mitigations such as DEP or ASLR at all or have only done so partially.
“In practice, of the 41 applications surveyed, 34% fully enabled support for ASLR, 46% partially enabled support, and 20% did not enable support for any of their images,” the report says. “This data indicates that many of the popular consumer applications have not fully enabled support for ASLR at this time.”
Microsoft broke the adoption rate down by geographic location as well as by software category, and found that all of the browsers they investigated had fully implemented ASLR, but only 30 percent of browser plug-ins had done so. That disparity can weaken the security of the browsers themselves.
“This data clearly shows that ASLR adoption by applications in most market segments has been very slow, despite the technology being available for more than four years. It suggests that many applications have a security posture that is weaker than necessary, which could allow attackers to more easily exploit vulnerabilities. Web browser clients and, to a lesser degree, telecommunication software (such as IM clients) currently appear to be exceptions to this rule. The fact that these applications have adopted ASLR more quickly than others should not be surprising given the amount of direct exposure these types of products have to untrusted data on the Internet,” Microsoft says in the SDL report.
However, some in the software security community are not surprised by the adoption rates of mitigation technologies.
“I was actually positively surprised at the rate of adoption and ASLR and DEP, that it was so high. It can some doing to implement them, especially ASLR, depending on your code pile and what you’re expecting to be able to do with memory,” said Gary McGraw, CTO of Cigital. “It’s technically harder in some situations, especially if you’re worried about performance.”
McGraw said that Microsoft deserves credit for not just publishing a progress report but also for releasing the tools that they use in the SDL and continuing to refine and adapt their processes as the threats and technologies change.
“I like the fact that they’re publishing something like this,” he said. “What’s interesting is the progress they’ve made. In the BSIMM stuff we do, there’s a number of advanced, sort of rocket science activities that are at level three, and some of those are things that Microsoft invented. The idea of having a security science team that looks through the code base for new classes of vulnerabilities that aren’t even known yet and trying to eradicate those ahead of time.”