Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Unveils Open Source Exploit Finder

Posted by Soulskill on from the solutions-looking-for-problems dept.

Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest: "Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."

20 of 310 comments (clear)

  1. Direct link to explanation by DavidR1991 · · Score: 5, Informative

    There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx

  2. Re:auto-hack or brute force? by interiot · · Score: 4, Informative

    The article mentions it does fuzz testing, so it'd be the former.

  3. AFAICT, Neither by spaceturtle · · Score: 2, Informative

    They talk about what to do when a bug is discovered. My understanding is that beta testing may result in thousands of crash reports. Clearly you'll want to prioritize fixing the exploitable crashes before the non-exploitable ones. It seems this software is to help you do that, although the article is short on technical detail.

  4. Re:Libre? by Macthorpe · · Score: 5, Informative

    It's released under the Ms-PL, which is OSI-approved.

    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
  5. Re:Bang exploitable by Clover_Kicker · · Score: 5, Informative

    "bang" is ancient history.

    http://en.wikipedia.org/wiki/Special_Characters

    http://www.catb.org/~esr/jargon/html/A/ASCII.html

  6. Re:Libre? by Anonymous Coward · · Score: 1, Informative

    Or is that a senseless question anyway since it runs under Windows?

    To answer the rhetorical question, yes it is a senseless question and the software is not really free. Here's an article on such a situation http://www.gnu.org/philosophy/java-trap.html

  7. Re:There's already proof that this can't work by spydabyte · · Score: 4, Informative

    That's proof that it can't always work. Not that it never works.

  8. really? by someone1234 · · Score: 2, Informative

    Are you sure, Coward?

    http://www.opensource.org/licenses/ms-pl.html

    Or you say it won't be released under ms-pl?

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry
  9. Re:Eat your own dogfood? by LO0G · · Score: 2, Informative

    Why do you believe that Microsoft doesn't run it on their own code?

    Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.

    From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing iterations in Vista).

  10. Re:Libre? by larry+bagina · · Score: 5, Informative

    The GPL isn't open source compatible with most other open source licenses, either.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  11. Re:auto-hack or brute force? by Wodin · · Score: 2, Informative

    The article mentions it does fuzz testing, so it'd be the former.

    Actually, the article says it's used during fuzz testing, not that it does fuzz testing.

    It's a Windows debugger extension that's used during fuzz testing[...]

    It sounds more like an automated crash dump analyzer used after a fuzzer has caused the program to crash.

    --
    -- Wodin
  12. windbg needs PDB so app must compile in MSVS by formal_entity · · Score: 5, Informative
    It's a plugin to the windbg debugger. so that when it hits an access violation (which is MS speak for SIGSEG) you can do !expoitable and it will use some heuristics to guess whether this bug is an exploitable security vulnerability.

    Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.

    For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.

    Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.

    Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).

    So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.

    Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.

    I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.

    1. Re:windbg needs PDB so app must compile in MSVS by Anonymous Coward · · Score: 1, Informative

      While a PDB makes windbg easier to read it is not a requirement to have one and you can get a lot of good info about a crash if you understand what your looking at in windbg, PDB's just make it a lot easier to read, a use it on crashes for apps I have no symbol files for all the time.

  13. Re:Libre? by Anonymous Coward · · Score: 1, Informative

    "it's not open source compatible (gpl/others)"

    Since when has Open Source and GPL been synonymous? BSD comes to mind....

  14. Re:Libre? by 99BottlesOfBeerInMyF · · Score: 4, Informative

    Is that the license OSI approved which got a lot of flak because it says the source can only be run on windows or did they remove that use clause from their OSI licenses?

    No. Those are the MS-LPL and MS-LRL licenses. The MS-PL license is fairly innocuous excepting the patent clause which is debatable. It allows the distribution of the source under this license and distribution of binaries for commercial use with a different license.

  15. Re:bang exploitable or unexploitable? by Curate · · Score: 2, Informative

    There's nothing mysterious about the "bang exploitable" nomenclature. That's how all the windbg extensions are commonly called verbally... bang analyze (!analyze), bang process (!process), and so on. It's been that way for as long as I can recall.

  16. Re:It's nice to see... by Anonymous Coward · · Score: 1, Informative

    bated
    adjective (in phrase with bated breath)
    in great suspense; very anxiously or excitedly : he waited for a reply to his offer with bated breath.
    ORIGIN late 16th cent.: from the past participle of obsolete bate [restrain,] from abate .
    USAGE The spelling : baited breath instead of bated breath is a common mistake that, in addition to perpetuating a cliché, evokes a distasteful image. Before using the expression bated breath, think of the verb : abate, as in : the winds abated, not fish bait.

  17. Re:auto-hack or brute force? by Effugas · · Score: 4, Informative

    Sup Goth, this *is* Dan.

    !exploitable isn't about finding bugs -- it's not a fuzzer, it's not a static analyzer, etc. It's about looking at a crash and saying, "Heh, this isn't just a Null Pointer Deref, you got EIP." Sure, that's obviously exploitable to you, but to some junior tester, that's not obvious at all.

    That's why it's a game changer. The dev writing the buggy code can't just say, meh, prove it's exploitable. Now the tester can point out the output of !exploitable and say, prove Microsoft is wrong. Shifts the burden of proof in the exact direction you'd want.

  18. Re:THOUSANDS OF BUGS? by Effugas · · Score: 2, Informative

    This is Dan.

    OK, my DNS bug took two days to find, and six months to fix. I'm not sure what universe you're in; in mine, we have to actually test.

  19. Re:Libre? by oftenwrongsoong · · Score: 3, Informative

    Or is that a senseless question anyway since it runs under Windows?

    SVN runs under Windows. GCC runs under Windows. Gimp runs under Windows. Apache runs under Windows. Hell, just about any project with a configure script will either compile for Windows as-is, or will after slight modifications. FOSS has nothing to do with whether it runs under Windows or not.