Slashdot Mirror
Microsoft Unveils Open Source Exploit Finder
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest:
"Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
'hellfrozeover' tag in 3... 2... 1...
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?
I want to delete my account but Slashdot doesn't allow it.
Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)
Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?
There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx
They talk about what to do when a bug is discovered. My understanding is that beta testing may result in thousands of crash reports. Clearly you'll want to prioritize fixing the exploitable crashes before the non-exploitable ones. It seems this software is to help you do that, although the article is short on technical detail.
Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...
It's released under the Ms-PL, which is OSI-approved.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
"bang" is ancient history.
http://en.wikipedia.org/wiki/Special_Characters
http://www.catb.org/~esr/jargon/html/A/ASCII.html
Your comment loses all credibility not so much because of your lack of evidence but because of your use of "M$."
Also, your suicide joke wasn't funny.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
-- derby
int assess_severity( struct* bug )
{
string vendor = get_application_vendor( bug );
if ((vendor == "Google") ||
(vendor == "Adobe") ||
(vendor == "Mozilla"))
return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
else if (vendor == "Microsoft")
return TRIVIAL_SECURITY_RISK;
else
return MODERATE_SECURITY_RISK;
}
That's proof that it can't always work. Not that it never works.
yeah, FOSS exploits are cuddlier
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Has anybody every told you "'Perfect' is the enemy of 'good enough'."? Perhaps after listening to you explain why your project is behind schedule, then sighing and face-palming?
The halting problem says that there cannot be a GENERAL ALGORITHM that works in all cases, for any of the infinity of possible programs that can exist.
That proves ZERO about, say, whether I can write an algorithm that covers 99% of the common cases. The lack of a general solution doesn't imply that it can't be done often enough, in practice.
How large of a programming team do you work with? And how big are the projects to which you contribute code? And what kind of development model do you use (waterfall, Agile, ad-hoc, etc.)?
Shipping a large project with 1,000 bugs might be a perfectly valid decision. Are any of those 1,000 bugs deal-breakers for your install base? If so, how many clients does it affect? Are these "real bugs", or just incomplete/unpolished functions, or documentation issues, or output typos, or what?
And what kind of software is this? Are you building a time & expense web application, or a filesystem driver? In the former case, most bugs will be interface glitches--ugly, annoying, and harmless. In the latter case, even one bug could easily cause silent data corruption.
Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.
Are you sure, Coward?
http://www.opensource.org/licenses/ms-pl.html
Or you say it won't be released under ms-pl?
Patents Drive Free Software as Hurricanes Drive Construction Industry
I think this might explain some of Microsoft's buggy code issues.
Every time they see "!=" they interpret is as "bang equals". That sounds like definitely equals, doesn't it? Like, dude, those are so equal it's not even funny, equal.
No wonder they have all those buffer overflow exploits. Their logic checks that include the not modifier are all wrong.
Shipping a large project with 1,000 bugs might be a perfectly valid decision
Why don't we just change that to Shipping a large project with 1,000 bugs might be a perfectly valid business decision
I don't ship crap.
And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
I still can remember back to the days when "version one-point-oh" didn't always have to mean "train wreck, we'll start seriously fixing bugs around 2.5". Today's translation works as follows: Today's 1.0 is yesterday's early beta. Today's 2.0 is yesterday's Still Beta. Today's 3.0 is yesterday's 1.0.
Software should work out of the box. You shouldn't have to wait for an update or two for it to become stable enough to use.
I work for the Department of Redundancy Department.
And just like anti-virus software, it will lull people into a false sense of security that can easily result in catastrophe
File under 'M' for 'Manic ranting'
Why do you believe that Microsoft doesn't run it on their own code?
Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.
From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing iterations in Vista).
The GPL isn't open source compatible with most other open source licenses, either.
Do you even lift?
These aren't the 'roids you're looking for.
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple.
Are you retarded? This tool isn't a "find exploits in open source software tool." It's an open source "find exploits in software tool". So Microsoft has an internal tool that they've developed to search for exploits in their software like Windows and Office, but they decided to open source that tool and share it with everyone else. It has nothing to do with Windows versus Linux.
As far as your ridiculous rant regarding Windows and programs running as Administrator, if you actually looked at the most recent versions of Windows, the number of system services that run under NETWORK SERVICE and other less privileged accounts has been increased, and with UAC, running users as non-admin is actually feasible. I don't know if you'd ever tried running as non-admin under XP, but the idea of logging out and logging back in to make a change, or hoping to hell that runas will actually work, just makes no sense. In addition, their work on Protected Mode where IE runs in a sandbox is another example of MS working to implement the least privilege principle.
Microsoft has made *considerable* progress on the non-admin front, and continues to work on that.
Oh, and whoever modded you up for this nonsensical misinterpretation of the tool needs a meta-mod down.
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I don't care why you're posting AC
Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.
For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.
Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.
Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).
So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.
Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.
I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.
1. Fork the project
2. Change the name
Is that the license OSI approved which got a lot of flak because it says the source can only be run on windows or did they remove that use clause from their OSI licenses?
No. Those are the MS-LPL and MS-LRL licenses. The MS-PL license is fairly innocuous excepting the patent clause which is debatable. It allows the distribution of the source under this license and distribution of binaries for commercial use with a different license.
Not all software is a product for sale, and in the real world there are deadlines and budgets. Users can deal with bugs, business owners can't deal with late, over-budget projects.
The GPL maximises protection against software patents and forbids distribution as proprietary-only software. The Ms-PL minimizes protection against software patents and forbids distribution as libre-only software. The Ms-PL formally fulfills the requirements for an OSI approval but apart from that it is everything what you would expect a license from Microsoft to be. To understand the Ms-PL just imagine the Venn diagram for the following equation: MsPL = ( OSI - GPL ) & Microsoft
There's nothing mysterious about the "bang exploitable" nomenclature. That's how all the windbg extensions are commonly called verbally... bang analyze (!analyze), bang process (!process), and so on. It's been that way for as long as I can recall.
You mean, "It's from Microsoft! It must not be labeled as open source, even if it is!"
If you aren't saying this, then maybe you can say in what aspect the license doesn't meet the Open Source Definition
.
To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
It's also meaningless, since every business is out for dollars. You might as well say $un too, and same goes for any business with an "s" in its name.
I don't ship crap. And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
There's a balance, there are also those people that think that perfect software can be created in some kind of bubble and you might be one of them, I think. In a large project I can assure, with 100% certainty, that between the start of the project and the final release the requirements have changed. A lot. It does not matter if you design up a perfect software development method, not that I think such a thing exists, because people are very poor at specifying in an abstract specification what it is they want to do. Sometimes they don't even know exactly how, even if you could hire a telepath at the start of the project. And thinking that all code is written after one master plan is unlikely, more likely you've bought up functionality from other companies or migrated it from legacy products and it's patchwork under the hood.
Releasing early and getting feedback is usually the only way to get the design right. It's much better to hear "yeah umm, but that's not the way we work" or "yeah umm, but that doesn't solve our challenge" before everything's set in stone. If you get told at the very end to rip out that well tested and well integrated piece of code then all that effort is really wasted. In large development projects these kinds of communication problems are very real. You could accept lots of small issues like a house where they said "that light fixture doesn't work, but it'll get fixed in the next release". What you couldn't accept is "the foundation is quicksand, the drainage is shot and the pillars rotten". In computer terms things like "the solution can't scale, it's crashing often and we have major data loss".
Seriously, think of all the trivial things that can be considered bugs. Typos are bugs. A non-working shortcut is a bug. I think the most trivial bug I've seen is that you have a list. A to Z will jump you to the first item starting with that letter. But Æ, Ø and Å will not. Workaround? Scroll and pick. It's a genuine bug, but like hell if it's something that should hold up a software release. On the admin side I'm more like "if there's a dark voodoo way of doing it then fine" because I'm much more interested in them fixing bugs affecting a thousand people than me. Software delivers value and bugs detract from value, but this is important - a bugfree but useless application also has no value. Something that isn't used where they put it in an Excel spreadsheet instead has no value. Developers need to be working on the right things first, then they can do them right. Sounds easy and obvious but damn how hard that is.
Live today, because you never know what tomorrow brings
Bang Exploitable Crash Analyzer, programmed in C Pound Point Net.
Exactly. That's why I'm also against railroad crossing gates, smoke detectors, and those silly "Bridge Out" warning signs.
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I beg to differ. If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
As for identifying corporations by their stock ticker symbols, it allows to easily differentiate between corporations who would have otherwise similar names(for example, an article talking about the Royal Bank could refer to both RY and RBS) and to look them up quickly and unambiguously.
Jean-Francois Im's blog
This is Dan.
OK, my DNS bug took two days to find, and six months to fix. I'm not sure what universe you're in; in mine, we have to actually test.
How do you know? What tool do you use that automatically detects every rootkit ever invented? I've seen Linux boxes owned, I've seen SGI boxes owned, and I've seen Windows boxes owned. It happens to everyone: even OSX. In fact, given that every OS has had security problems, if your box hasn't been owned, it's because you were lucky enough to not have your box targeted at the crucial moment.
Every time I hear anyone using any system say, "I've never had a virus or trojan or malware," I always think, "there is a guy who doesn't know how to detect malware on his machine." And it's usually true.
I'm not saying you don't know how, but you said a genuinely stupid thing right there. It's possible that right now you're computer has been rooted, covered up, and you don't even know it. Because Microsoft sure wasn't protecting you for the last 20 years.
Qxe4
Or is that a senseless question anyway since it runs under Windows?
SVN runs under Windows. GCC runs under Windows. Gimp runs under Windows. Apache runs under Windows. Hell, just about any project with a configure script will either compile for Windows as-is, or will after slight modifications. FOSS has nothing to do with whether it runs under Windows or not.
Hmmm. Most people do not know how computer viruses work. Installing anti-virus software can lull people in a false sense of security since they also do not know how the anti-virus software does (not) work, but hey, it's not called 'anti' for nuttin, right?
Railroad crossing gates are intuitive for most people: train may pass by crushing and killing you, so such a crossing calls for extra attention automatically.
Smoke detectors do not cause most people to suddenly leave their burning candles unattended or to start playing with matches.
'Bridge out' warning signs call on the viewer to pay extra attention.
So, anti virus software makes ppl less attentive, railroad crossings and warning signs make ppl more attentive and smoke detectors do not alter behaviour. I am afraid I fail to see your point.
Wenn ist das Nunstueck git und Slotermeyer? Ja! Beiherhund das Oder die Flipperwaldt gersput.
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
#ifdef WIN32
fprintf(stderr, "Your system is not secure\n");
#else
fprintf(stderr, "Your system is not popular enough to be targetted, therefore it is secure\n");
#endif
return 0;
}
it is only after a long journey that you know the strength of the horse.
The GPL license is just about protecting individuals who want to develop and use software in freedom. It's up to you to take advantage of this protection or not
The best protection is public domain. Retaining ownership to force an ideological end is silly. The GPL was born out of emacs getting "ripped off" by other people... but did that stop emacs at all? Nope, we're still stuck with it, even though everyone knows vi is better....
This is my sig.
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker".
You don't agree that text in bold is HIS opinion? I don't agree with your disagreement :P
+Raider of the lost BBS
What! You mean they Open Sourced Windows!??!
"Flyin' in just a sweet place,
Never been known to fail..."
But the current legal system allows coercion by means of patents, technical restrictions, ... The GPL is not by any means more silly than the environment in which it is being used.
Has it been run on itself?
Will subsequent versions exploit the exploits, setup botnets, send spam etc?
If Microsoft entered the armor business, would they also supply arms to the other side?
But seriously, Microsoft put a ton of research into finding their security holes, including embedding the acquired techniques in tools. They're useful tools, and have been critically useful to them. Why not release them? My only worry is that it is not in their fighter-nature to help their competitors, and of course the tool can also be used by crackers.
If you look for hypocrisy, you should probably have a look at other license before criticising the GPL. Also you must have a distorted view of the situation if you criticise GPL developers for incorporating BSD code, but at the same time you are completely oblivious of the fact that entire software companies are making money from selling modified BSD software without contributing back.
Holy shit. This is getting ridiculous. People, get a clue. Licenses are different. If they weren't we wouldn't need to throw all of these plurals and license names about. There would be just one Open Source license (OK, two. The original, and the one M$ embraces and bends^H^H^H^H^H extends.)
...
The definition of Open Source compatible is not: a license which can be used interchangeably with any other Open Source license.Some licenses are compatible with each other and others aren't. It is called freedom of choice, which is what FOSS encourages and promotes.
Holy shit I'd like to hit some of you with a serious clue stick right about now
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun