Slashdot Log In
Microsoft Unveils Open Source Exploit Finder
Posted by
Soulskill
on Sun Mar 22, 2009 09:48 AM
from the solutions-looking-for-problems dept.
from the solutions-looking-for-problems dept.
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest:
"Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Open Source?! Wait for it... (Score:3, Funny)
'hellfrozeover' tag in 3... 2... 1...
Re: (Score:3, Insightful)
Definitely not.
Microsoft doesn't have anything about open source actually. They're perfectly fine with the BSD for instance, which they can incorporate in their products. They're also fine with their own "shared source" deal, which goes from "non commercial" to "you can only look at it".
What MS really despises is the GPL. They can't use it, and can't buy the source out in many cases. Of course they could technically use it, but they could apply the "embrace and extend" tactics, and would have to give out an
really? (Score:3, Informative)
Are you sure, Coward?
http://www.opensource.org/licenses/ms-pl.html [opensource.org]
Or you say it won't be released under ms-pl?
Re:Open Source?! Wait for it... (Score:4, Interesting)
So what? The viral GPL license is not the only one that makes your software free.
What you say is factually correct yet it misses the point entirely. I like benefit of doubt so I'll assume that you were not being deliberately obtuse. If Microsoft really wanted to release source in a way that is useful for the community, then they would be compatible with the GPL or would simply use the unmodified GPL. They know very well that the vast majority of Free Software, especially that which is available for Unix-like operating systems, is GPL.
So a developer who maintains GPL software has two choices regarding the code that Microsoft releases. The first choice is to ignore it and avoid using it, because I would certainly expect Microsoft to vigorously pursue anyone who violates their license. The second choice is to abandon the GPL and release the software under the Microsoft license so that Microsoft's code could be incorporated into the project. This has two benefits for Microsoft. At the very least, they can talk a good game about how "open" they are becoming while actually doing very little for the community. At the most, they can tempt people to stop using the GPL.
The GPL and Free Software in general is perhaps Microsoft's first experience with a potential competitor that they cannot buy out and cannot embrace-and-extend, so their huge resources and preferred tactics are rendered useless. Either they just give up or they realize that they cannot use the "direct approach". I would not expect them to just give up. The saying that comes to mind is "if you get into bed with Microsoft, you're going to get fucked." Anyone who really believes that Microsoft has had a change of heart and is now a trustworthy ally of Free Software is frankly rather naive. You're dealing with an entity that became so dominant in its industry by means of shrewd business decisions and Machiavellian strategy. I would expect a close-source software company with even half of their willingness and ability to dominate to see Free Software as an implacable enemy that requires new tactics. If anyone believes it could possibly be otherwise, the evidence against you is strong but I'd like to know why you feel that way.
Parent
Re:Open Source?! Wait for it... (Score:5, Insightful)
If Microsoft really wanted to release source in a way that is useful for the community, then they would be compatible with the GPL or would simply use the unmodified GPL.
Oh bullshit. Something doesn't have to be GPL to be useful for the community - take FreeBSD for instance. Demons, GPL zealots are as bad as Apple zealots!
Parent
Re: (Score:3, Insightful)
If you believe that recognizing the strategic aspects of Microsoft's business decisions makes one a zealot, then you are fortunate. You are fortunate because you have never seen a real zealot.
The same thing that would happen if a Free Software developer were found using Microsoft's non-GPL code in their GPL software: a legal problem. The incompatibility of the licenses is mutual
Re:Libre? (Score:5, Informative)
It's released under the Ms-PL, which is OSI-approved.
Parent
Re:Libre? (Score:5, Informative)
Parent
Re:Libre? (Score:4, Interesting)
The GPL maximises protection against software patents and forbids distribution as proprietary-only software. The Ms-PL minimizes protection against software patents and forbids distribution as libre-only software. The Ms-PL formally fulfills the requirements for an OSI approval but apart from that it is everything what you would expect a license from Microsoft to be. To understand the Ms-PL just imagine the Venn diagram for the following equation: MsPL = ( OSI - GPL ) & Microsoft
Parent
Re: (Score:3, Insightful)
The definition of Open Source compatible is not: a license which can be used interchangeably with any other Open Source license.Some licenses are compatible with each other and others aren't. It is called freed
Re: (Score:3, Insightful)
The GPL license is just about protecting individuals who want to develop and use software in freedom. It's up to you to take advantage of this protection or not
The best protection is public domain. Retaining ownership to force an ideological end is silly. The GPL was born out of emacs getting "ripped off" by other people... but did that stop emacs at all? Nope, we're still stuck with it, even though everyone knows vi is better....
Re:Libre? (Score:4, Insightful)
You mean, "It's from Microsoft! It must not be labeled as open source, even if it is!"
If you aren't saying this, then maybe you can say in what aspect the license doesn't meet the Open Source Definition [opensource.org]
.
Parent
Re:Libre? (Score:5, Informative)
Is that the license OSI approved which got a lot of flak because it says the source can only be run on windows or did they remove that use clause from their OSI licenses?
No. Those are the MS-LPL and MS-LRL licenses. The MS-PL license is fairly innocuous excepting the patent clause which is debatable. It allows the distribution of the source under this license and distribution of binaries for commercial use with a different license.
Parent
Re: (Score:3, Informative)
Or is that a senseless question anyway since it runs under Windows?
SVN runs under Windows. GCC runs under Windows. Gimp runs under Windows. Apache runs under Windows. Hell, just about any project with a configure script will either compile for Windows as-is, or will after slight modifications. FOSS has nothing to do with whether it runs under Windows or not.
Re: (Score:3, Insightful)
Also, your suicide joke wasn't funny.
Re:This is M$ double speak for "Finding Free Sofwa (Score:5, Insightful)
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
Parent
Re:This is M$ double speak for "Finding Free Sofwa (Score:4, Insightful)
To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
It's also meaningless, since every business is out for dollars. You might as well say $un too, and same goes for any business with an "s" in its name.
Parent
Re:This is M$ double speak for "Finding Free Sofwa (Score:5, Insightful)
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I beg to differ. If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
As for identifying corporations by their stock ticker symbols, it allows to easily differentiate between corporations who would have otherwise similar names(for example, an article talking about the Royal Bank could refer to both RY and RBS) and to look them up quickly and unambiguously.
Parent
Re: (Score:3, Insightful)
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker".
You don't agree that text in bold is HIS opinion? I don't agree with your disagreement :P
Re:This is M$ double speak for "Finding Free Sofwa (Score:5, Insightful)
yeah, FOSS exploits are cuddlier
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
Parent
Re:This is M$ double speak for "Finding Free Sofwa (Score:4, Insightful)
Every time I hear anyone using any system say, "I've never had a virus or trojan or malware," I always think, "there is a guy who doesn't know how to detect malware on his machine." And it's usually true.
I'm not saying you don't know how, but you said a genuinely stupid thing right there. It's possible that right now you're computer has been rooted, covered up, and you don't even know it. Because Microsoft sure wasn't protecting you for the last 20 years.
Parent
auto-hack or brute force? (Score:5, Insightful)
Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?
Re:auto-hack or brute force? (Score:5, Informative)
Parent
AFAICT, Neither (Score:3, Informative)
Re:auto-hack or brute force? (Score:5, Informative)
Sup Goth, this *is* Dan.
!exploitable isn't about finding bugs -- it's not a fuzzer, it's not a static analyzer, etc. It's about looking at a crash and saying, "Heh, this isn't just a Null Pointer Deref, you got EIP." Sure, that's obviously exploitable to you, but to some junior tester, that's not obvious at all.
That's why it's a game changer. The dev writing the buggy code can't just say, meh, prove it's exploitable. Now the tester can point out the output of !exploitable and say, prove Microsoft is wrong. Shifts the burden of proof in the exact direction you'd want.
Parent
I'm feeling quite dizzy... (Score:4, Funny)
Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)
Things that make you go hmmm... (Score:5, Funny)
Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?
Direct link to explanation (Score:5, Informative)
There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx [microsoft.com]
Re: (Score:3, Insightful)
Naturally, that's an OOXML file that OpenOffice doesn't quite display properly. Outline view seems to be the best.
It's nice to see... (Score:3, Funny)
Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...
Re:It's nice to see... (Score:4, Funny)
with baited breath...
Speaking of Microsoft and security, I think you've picked up a worm.
Parent
Re: (Score:3, Funny)
interesting excerpt from bang source code (Score:5, Funny)
int assess_severity( struct* bug )
{
string vendor = get_application_vendor( bug );
if ((vendor == "Google") ||
(vendor == "Adobe") ||
(vendor == "Mozilla"))
return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
else if (vendor == "Microsoft")
return TRIVIAL_SECURITY_RISK;
else
return MODERATE_SECURITY_RISK;
}
windbg needs PDB so app must compile in MSVS (Score:5, Informative)
Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.
For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.
Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.
Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).
So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.
Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.
I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.
Here is the code (Score:3, Funny)
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
#ifdef WIN32
fprintf(stderr, "Your system is not secure\n");
#else
fprintf(stderr, "Your system is not popular enough to be targetted, therefore it is secure\n");
#endif
return 0;
}
Re:Bang exploitable (Score:5, Informative)
"bang" is ancient history.
http://en.wikipedia.org/wiki/Special_Characters [wikipedia.org]
http://www.catb.org/~esr/jargon/html/A/ASCII.html [catb.org]
Parent
Re:Bang exploitable (Score:5, Funny)
Every time they see "!=" they interpret is as "bang equals". That sounds like definitely equals, doesn't it? Like, dude, those are so equal it's not even funny, equal.
No wonder they have all those buffer overflow exploits. Their logic checks that include the not modifier are all wrong.
Parent
Rules of Open Source club (Score:5, Funny)
1. Fork the project
2. Change the name
Parent
Re:There's already proof that this can't work (Score:5, Informative)
Parent
Re: (Score:3, Insightful)
Re:There's already proof that this can't work (Score:5, Funny)
Exactly. That's why I'm also against railroad crossing gates, smoke detectors, and those silly "Bridge Out" warning signs.
Parent
Re: (Score:3, Insightful)
Has anybody every told you "'Perfect' is the enemy of 'good enough'."? Perhaps after listening to you explain why your project is behind schedule, then sighing and face-palming?
The halting problem says that there cannot be a GENERAL ALGORITHM that works in all cases, for any of the infinity of possible programs that can exist.
That proves ZERO about, say, whether I can write an algorithm that covers 99% of the common cases. The lack of a general solution doesn't imply that it can't be done often enough, in
Re:THOUSANDS OF BUGS? (Score:5, Insightful)
How large of a programming team do you work with? And how big are the projects to which you contribute code? And what kind of development model do you use (waterfall, Agile, ad-hoc, etc.)?
Shipping a large project with 1,000 bugs might be a perfectly valid decision. Are any of those 1,000 bugs deal-breakers for your install base? If so, how many clients does it affect? Are these "real bugs", or just incomplete/unpolished functions, or documentation issues, or output typos, or what?
And what kind of software is this? Are you building a time & expense web application, or a filesystem driver? In the former case, most bugs will be interface glitches--ugly, annoying, and harmless. In the latter case, even one bug could easily cause silent data corruption.
Remeber what Linus Torvalds said: Release early, release often. Don't wait til all your bugs are fixed before shipping your software, or you'll lose your "market" window. If it's good enough, the early-adopters will understand, and might even contribute bug reports or patches that will speed you up.
Parent
Re: (Score:3, Interesting)
Shipping a large project with 1,000 bugs might be a perfectly valid decision
Why don't we just change that to Shipping a large project with 1,000 bugs might be a perfectly valid business decision
I don't ship crap.
And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there
Re: (Score:3, Insightful)
Not all software is a product for sale, and in the real world there are deadlines and budgets. Users can deal with bugs, business owners can't deal with late, over-budget projects.
Re: (Score:3, Interesting)
I don't ship crap. And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
There's a balance, there are also those people that think that perfect software can be created in some kind of bubble and you might be one of them, I think. In a large project I can assure, with 100% certainty, that between the start of the project and the final release the requirements have changed. A lot. It does not matter if you design up a perfect software development method, not that I think such a thing exists, because people are very poor at specifying in an abstract specification what it is they wa
Re: (Score:3, Informative)
This is Dan.
OK, my DNS bug took two days to find, and six months to fix. I'm not sure what universe you're in; in mine, we have to actually test.
Re: (Score:3, Informative)
Why do you believe that Microsoft doesn't run it on their own code?
Remember that !exploitable is a debugger extension that is used on a crash dump to determine if it's possible that the crash was caused by an exploitable bug. It's not a source code analyzer - it's purely a post-mortem analysis tool.
From the paper I would expect that Microsoft routinely runs this tool over crashes, especially over the crashes that are found by its internal fuzzing tests (the paper says that they ran over 350 Million fuzzing
Re:Enough problems of their own (Score:5, Insightful)
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple.
Are you retarded? This tool isn't a "find exploits in open source software tool." It's an open source "find exploits in software tool". So Microsoft has an internal tool that they've developed to search for exploits in their software like Windows and Office, but they decided to open source that tool and share it with everyone else. It has nothing to do with Windows versus Linux.
As far as your ridiculous rant regarding Windows and programs running as Administrator, if you actually looked at the most recent versions of Windows, the number of system services that run under NETWORK SERVICE and other less privileged accounts has been increased, and with UAC, running users as non-admin is actually feasible. I don't know if you'd ever tried running as non-admin under XP, but the idea of logging out and logging back in to make a change, or hoping to hell that runas will actually work, just makes no sense. In addition, their work on Protected Mode where IE runs in a sandbox is another example of MS working to implement the least privilege principle.
Microsoft has made *considerable* progress on the non-admin front, and continues to work on that.
Oh, and whoever modded you up for this nonsensical misinterpretation of the tool needs a meta-mod down.
Parent
Microsoft Unveils Open Source Exploit Finder? (Score:3, Funny)
What! You mean they Open Sourced Windows!??!