Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Unveils Open Source Exploit Finder

Posted by Soulskill on from the solutions-looking-for-problems dept.

Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest: "Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."

9 of 310 comments (clear)

  1. Direct link to explanation by DavidR1991 · · Score: 5, Informative

    There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx

  2. Re:auto-hack or brute force? by interiot · · Score: 4, Informative

    The article mentions it does fuzz testing, so it'd be the former.

  3. Re:Libre? by Macthorpe · · Score: 5, Informative

    It's released under the Ms-PL, which is OSI-approved.

    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
  4. Re:Bang exploitable by Clover_Kicker · · Score: 5, Informative

    "bang" is ancient history.

    http://en.wikipedia.org/wiki/Special_Characters

    http://www.catb.org/~esr/jargon/html/A/ASCII.html

  5. Re:There's already proof that this can't work by spydabyte · · Score: 4, Informative

    That's proof that it can't always work. Not that it never works.

  6. Re:Libre? by larry+bagina · · Score: 5, Informative

    The GPL isn't open source compatible with most other open source licenses, either.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  7. windbg needs PDB so app must compile in MSVS by formal_entity · · Score: 5, Informative
    It's a plugin to the windbg debugger. so that when it hits an access violation (which is MS speak for SIGSEG) you can do !expoitable and it will use some heuristics to guess whether this bug is an exploitable security vulnerability.

    Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.

    For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.

    Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.

    Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).

    So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.

    Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.

    I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.

  8. Re:Libre? by 99BottlesOfBeerInMyF · · Score: 4, Informative

    Is that the license OSI approved which got a lot of flak because it says the source can only be run on windows or did they remove that use clause from their OSI licenses?

    No. Those are the MS-LPL and MS-LRL licenses. The MS-PL license is fairly innocuous excepting the patent clause which is debatable. It allows the distribution of the source under this license and distribution of binaries for commercial use with a different license.

  9. Re:auto-hack or brute force? by Effugas · · Score: 4, Informative

    Sup Goth, this *is* Dan.

    !exploitable isn't about finding bugs -- it's not a fuzzer, it's not a static analyzer, etc. It's about looking at a crash and saying, "Heh, this isn't just a Null Pointer Deref, you got EIP." Sure, that's obviously exploitable to you, but to some junior tester, that's not obvious at all.

    That's why it's a game changer. The dev writing the buggy code can't just say, meh, prove it's exploitable. Now the tester can point out the output of !exploitable and say, prove Microsoft is wrong. Shifts the burden of proof in the exact direction you'd want.