Slashdot Mirror
Microsoft Unveils Open Source Exploit Finder
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest:
"Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?
I want to delete my account but Slashdot doesn't allow it.
Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)
Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?
There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx
It's released under the Ms-PL, which is OSI-approved.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
"bang" is ancient history.
http://en.wikipedia.org/wiki/Special_Characters
http://www.catb.org/~esr/jargon/html/A/ASCII.html
int assess_severity( struct* bug )
{
string vendor = get_application_vendor( bug );
if ((vendor == "Google") ||
(vendor == "Adobe") ||
(vendor == "Mozilla"))
return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
else if (vendor == "Microsoft")
return TRIVIAL_SECURITY_RISK;
else
return MODERATE_SECURITY_RISK;
}
That's proof that it can't always work. Not that it never works.
yeah, FOSS exploits are cuddlier
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
How large of a programming team do you work with? And how big are the projects to which you contribute code? And what kind of development model do you use (waterfall, Agile, ad-hoc, etc.)?
Shipping a large project with 1,000 bugs might be a perfectly valid decision. Are any of those 1,000 bugs deal-breakers for your install base? If so, how many clients does it affect? Are these "real bugs", or just incomplete/unpolished functions, or documentation issues, or output typos, or what?
And what kind of software is this? Are you building a time & expense web application, or a filesystem driver? In the former case, most bugs will be interface glitches--ugly, annoying, and harmless. In the latter case, even one bug could easily cause silent data corruption.
Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.
I think this might explain some of Microsoft's buggy code issues.
Every time they see "!=" they interpret is as "bang equals". That sounds like definitely equals, doesn't it? Like, dude, those are so equal it's not even funny, equal.
No wonder they have all those buffer overflow exploits. Their logic checks that include the not modifier are all wrong.
The GPL isn't open source compatible with most other open source licenses, either.
Do you even lift?
These aren't the 'roids you're looking for.
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple.
Are you retarded? This tool isn't a "find exploits in open source software tool." It's an open source "find exploits in software tool". So Microsoft has an internal tool that they've developed to search for exploits in their software like Windows and Office, but they decided to open source that tool and share it with everyone else. It has nothing to do with Windows versus Linux.
As far as your ridiculous rant regarding Windows and programs running as Administrator, if you actually looked at the most recent versions of Windows, the number of system services that run under NETWORK SERVICE and other less privileged accounts has been increased, and with UAC, running users as non-admin is actually feasible. I don't know if you'd ever tried running as non-admin under XP, but the idea of logging out and logging back in to make a change, or hoping to hell that runas will actually work, just makes no sense. In addition, their work on Protected Mode where IE runs in a sandbox is another example of MS working to implement the least privilege principle.
Microsoft has made *considerable* progress on the non-admin front, and continues to work on that.
Oh, and whoever modded you up for this nonsensical misinterpretation of the tool needs a meta-mod down.
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I don't care why you're posting AC
Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.
For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.
Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.
Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).
So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.
Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.
I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.
1. Fork the project
2. Change the name
Is that the license OSI approved which got a lot of flak because it says the source can only be run on windows or did they remove that use clause from their OSI licenses?
No. Those are the MS-LPL and MS-LRL licenses. The MS-PL license is fairly innocuous excepting the patent clause which is debatable. It allows the distribution of the source under this license and distribution of binaries for commercial use with a different license.
The GPL maximises protection against software patents and forbids distribution as proprietary-only software. The Ms-PL minimizes protection against software patents and forbids distribution as libre-only software. The Ms-PL formally fulfills the requirements for an OSI approval but apart from that it is everything what you would expect a license from Microsoft to be. To understand the Ms-PL just imagine the Venn diagram for the following equation: MsPL = ( OSI - GPL ) & Microsoft
Exactly. That's why I'm also against railroad crossing gates, smoke detectors, and those silly "Bridge Out" warning signs.
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I beg to differ. If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
As for identifying corporations by their stock ticker symbols, it allows to easily differentiate between corporations who would have otherwise similar names(for example, an article talking about the Royal Bank could refer to both RY and RBS) and to look them up quickly and unambiguously.
Jean-Francois Im's blog
If Microsoft really wanted to release source in a way that is useful for the community, then they would be compatible with the GPL or would simply use the unmodified GPL.
Oh bullshit. Something doesn't have to be GPL to be useful for the community - take FreeBSD for instance. Demons, GPL zealots are as bad as Apple zealots!
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".