We have extended Google’s Address Sanitizer to add it to the C++ compilers for Windows, enhanced the open source runtimes to make Address Sanitizer work for a wide variety of Windows applications, and topped it off with Azure-powered fuzzing controlled directly in the Visual Studio IDE. You will see how we have deployed this technology on major products from Microsoft, including Office, Windows, and the compiler itself. You can use this to find critical memory safety bugs at scale in your code.

We’ve added the Google Sanitizer technology to the C++ compilers for Windows and enhanced the open source runtimes. The power of this technology for both security and correctness is compelling . The Microsoft platform has years of legacy and non-standard C++ code that will not compile with CLANG/LLVM. These large code bases ship from within Microsoft and at a large number of top ISV’s. We first talk about the value of compiling with this new technology as measured within Microsoft. We then briefly open up the compiler’s code generation and the Google runtime to provide an overview of how the technology works.

Key to making this technology pervasive is support in Visual Studio 2019. We demonstrate two failures in the IDE: One difficult bug that’s present in an application, and another one bug that we found inside the Microsoft compiler itself. These are correctness bugs not security vulnerabilities. For the security value proposition we demonstrate a POC in a Windows DLL. We also cover the effects this C++ technology is having on the internal development process. We discuss compiling all of Office and then compiling code at an ISV we have worked with pre-release.

Fuzzing is a process that’s key to using this technology beyond unit testing. Fuzzing in the cloud is attractive because we’ve made the experience fire-and-forget directly from Visual Studio. We conclude the talk with a demonstration that shows a new integration of Visual Studio with a fuzzing service in Azure.