MORSE security team takes proactive approach to finding bugs

When it comes to a complex issue such as computer security, there are no simple answers. As the effects of hacking run the gamut from the annoyingly personal – like never-ending popup windows on your computer screen – to a large-scale, global level – such as the gasoline shutdowns that crippled the East Coast in 2021 – it makes sense that there’s no single approach to attacking the problem.

It takes more than just one angle to handle what has become an increasingly important aspect of technology development. Many organizations simply focus on patching problems after they occur. But Microsoft is taking a holistic direction in its security measures, covering the entire spectrum with a team that is working to stop vulnerabilities before they even spawn, eliminating code flaws before they reach your computer and the prying keyboards of hackers across the globe. For the security team, the thinking goes, it’s never an if, but when an issue will arise.

“It’s a perennial cat and mouse game,” said Justin Campbell, principal security software engineering lead, Microsoft Security. “Things are evolving. Windows isn’t stagnant. There are new things added, new considerations, new technologies and new procedures researched. That’s not just in security, but how we build our software. There’s still code from 30 years ago that’s in equal consideration with new items we are shipping today. It’s a tremendous spectrum.”

Campbell leads a new global security team comprised of more than 60 members called Microsoft Offensive Research & Security Engineering (MORSE), which takes a three-pronged approach to securing code within the operating system. Red, blue and green teams, each with a different role to play, help MORSE aggressively battle security threats, repair broken code and prevent issues from ever happening.

The overlapping work done by the trio of teams helps develop new technology that benefits each side, from identifying potential weak spots in code to building new tools for the latest threats to strengthening security capabilities that have short- and long-term effects.

Many cybersecurity terms have their roots in computer simulations, video games, military exercises and real-time simulators that many of the experts have studied to learn the tricks of the trade. So, red teams try to identify an attack path to breach organizations’ security defenses through real-world attack strategies. Blue teams attempt to defend those attacks and prevent the red team from breaching existing defenses. Green teams help mitigate high-risk, systemic security issues and fix them at scale by building in learnings and tools from the red and blue teams.

Other industry security teams focus primarily on red-teaming security issues, but MORSE is a blend of all three teams working continuously to find and fix vulnerabilities before attackers.

“We aren’t just a red team where we come in and find bugs,” Campbell said. “We don’t just wait for an external entity to tell us there’s a bug. We have a group that is the right balance of self-sufficiency to identify issues, react and then make investments in the product. This isn’t just traditional bug hunting.”

More importantly, the group isn’t interested in keeping its findings just for Microsoft. The hacking community is one that is committed to sharing research and results to make a better product for everyone to use.

“Our goal is to make every person writing code better,” Campbell said.

A prime example of how the team works and the damage it can help prevent was an issue around Microsoft’s implementation of the version 1.3 release of Transport Layer Security (TLS). TLS is a protocol designed to provide secure communication over untrusted networks and is used in various applications, most importantly in the security layer of an HTTPS website address. Part of what the MORSE team does is re-explore older code that was created before security review was an integral component of the software development lifecycle. In this case, the MORSE team reviewed the update ahead of its release and discovered a remote code execution flaw that would have allowed hackers to access users’ machines.

“It would have been as bad as it gets,” said Mitch Adair, principal security lead for Cloud Security. “TLS is used to secure basically every single service product that Microsoft uses. But in the process of reviewing the code, we discovered this and were able to fix it.”

Microsoft has also enabled developers to join the process of keeping their code safe, launching OneFuzz, a testing framework for Azure. Fuzz testing is a highly effective method for increasing the security and reliability of native code. It creates a feedback loop of random events to increase the chances of finding unforeseen bugs. It’s a step beyond traditional static testing that developers utilize to find and fix known bugs.

Traditionally, fuzz testing has been a necessary evil for developers, as it is part of the development lifecycle but complicated to execute effectively. OneFuzz shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work. And, as another example of how the MORSE team takes an overarching approach, the team’s work to make an internal program tool process faster will allow OneFuzz to run more tests.

We aren’t just a red team where we come in and find bugs. We don’t just wait for an external entity to tell us there’s a bug. We have a group that is the right balance of self-sufficiency to identify issues, react and then make investments in the product. This isn’t just traditional bug hunting.

We are invested in helping developers actually get the right thing to happen and help improve their outcomes,” Campbell said. “OneFuzz helps them find bugs on their own.”

So, do you have to think like a hacker to defeat one? One of the key elements in hiring security members for MORSE is finding candidates who have the skill set and frame of mind to tackle the challenges that arise daily from the ever-evolving cybersecurity landscape. Team members have a variety of backgrounds, and that diversity leads to varied ways of approaching and solving security problems.

For Security Software Engineer Toshi Piazza, his work with Microsoft feels like a natural extension of the hobby he picked up at Rensselaer Polytechnic Institute, where he was part of the school’s RPI Security team, taking part in “capture the flag” hacking competitions.

“The team isn’t like-minded, but I do think we all have a natural curiosity level,” Piazza said. “We have this mindset already and it bleeds into our everyday work. We put on our hacker caps and get to home in on specific issues. That’s not a bad thing. In general, I just find this super-interesting.”

Fun seems like an odd way to describe a job where one mistake could affect millions of users worldwide, but the MORSE members say the combination of the challenge and benefit of helping customers is worth it.

“People who are in this industry, who play capture the flag events and join tournaments are doing it because of the super analytical nature, the chess match back and forth,” Adair said. “The first thing is ‘Baby’s First Exploit,’ and how do I get past that? It could take 10 minutes or three days? Then you’re advancing into things that are getting progressively more difficult – mitigations that defensive people have been developing for the last 20-30 years. It’s that constant desire to learn and puzzle your way through something that is exciting.”

And if the MORSE team doesn’t get the accolades it may deserve for foiling some potentially catastrophic issues – well, that’s all part of the plan. “People don’t hear about our successes because, by virtue of being successful, we don’t make it into the news,” Piazza said. “That’s exactly what we want.”