November 20, 2014 – SDL Team – Trustworthy Computing, Microsoft
We are delighted to announce the general availability of a new version of the BinScope Binary Analyzer, Microsoft BinScope version 2014. BinScope is a tool used during the Security Development Lifecycle (SDL) verification phase. It is available as a free download from the Microsoft Download Center here.
BinScope was designed to help detect potential vulnerabilities that can be introduced into Binary files. The tests it implements examine application binary files to identify coding and build practices that can potentially render the application vulnerable to attack or to being used as an exploit attack vector.
BinScope 2014 offers many new improvements over version 1.2, such as:
Improved Diagnostic Messages
A key focus for us this release was to ensure that diagnostic messages are clear and actionable for engineers when a potential vulnerability is detected. We believe that being able to quickly understand not only the potential issue but its mitigation is key.
New Minimum Compiler and Minimum Linker Version Switch
By default, BinScope 2014’s CompilerVersionCheck will adhere to the compiler and linker versions defined in the SDL guidance. However, we recognize that compiler and linker versions will evolve over time, as a result we have added two new command line switches. These switches, known as /MinimumCompilerVersion and /MinimumLinkerVersion, provide the ability to adjust the minimum linker and compiler versions that BinScope will detect when running the CompilerVersionCheck.
Another important focus for us was to improve the performance of BinScope when executing a scan, particularly with large binaries. As a result, we have been able to improve the scanning performance of BinScope by up to 4 times.
Other changes include:
- Removal of the Graphical User Interface (GUI).
- Removal of directory scanning, instead individual binary paths should be provided.
- General bug fixes.
For more information and additional resources, visit:
About the Author
Trustworthy Computing, Microsoft