Forgot your password?
typodupeerror
Security Microsoft Software

Microsoft Unveils Open Source Exploit Finder 310

Posted by Soulskill
from the solutions-looking-for-problems dept.
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest: "Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
This discussion has been archived. No new comments can be posted.

Microsoft Unveils Open Source Exploit Finder

Comments Filter:
  • by Macthorpe (960048) on Sunday March 22, 2009 @10:52AM (#27287845) Journal

    'hellfrozeover' tag in 3... 2... 1...

    • Re: (Score:3, Insightful)

      by vadim_t (324782)

      Definitely not.

      Microsoft doesn't have anything about open source actually. They're perfectly fine with the BSD for instance, which they can incorporate in their products. They're also fine with their own "shared source" deal, which goes from "non commercial" to "you can only look at it".

      What MS really despises is the GPL. They can't use it, and can't buy the source out in many cases. Of course they could technically use it, but they could apply the "embrace and extend" tactics, and would have to give out an

  • by Gothmolly (148874) on Sunday March 22, 2009 @10:53AM (#27287849)

    Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?

    • by interiot (50685) on Sunday March 22, 2009 @10:58AM (#27287877) Homepage
      The article mentions it does fuzz testing [wikipedia.org], so it'd be the former.
      • Re: (Score:2, Informative)

        by Wodin (33658)

        The article mentions it does fuzz testing, so it'd be the former.

        Actually, the article says it's used during fuzz testing, not that it does fuzz testing.

        It's a Windows debugger extension that's used during fuzz testing[...]

        It sounds more like an automated crash dump analyzer used after a fuzzer has caused the program to crash.

    • AFAICT, Neither (Score:3, Informative)

      by spaceturtle (687994)
      They talk about what to do when a bug is discovered. My understanding is that beta testing may result in thousands of crash reports. Clearly you'll want to prioritize fixing the exploitable crashes before the non-exploitable ones. It seems this software is to help you do that, although the article is short on technical detail.
      • by krappie (172561)

        Am I the only one that thinks it's ridiculous we still have programs crash? It's 2009, why are we still programming in C? It's certainly possible to have the same speed and low level expressiveness and include assurances against crashes and buffer overflows.

        • That's why I am very happy to completely steer around C/C++. I never liked its messy syntax anyway. ^^
          I used Pascal, Java, and now Haskell. And in 20 years of experience, I never have seen such an impressive beast of a compiler as the GHC (Glasgow Haskell Compiler).

          Sure, you can fuck up things in Haskell too. But you have fuck up explicitely. By doing something very stupid. Not by not doing tons of checks right and left.
          I also found the tradeoff of slowness for stability in Java, a good thing. But Haskell s

          • by krappie (172561)

            Yeah, there isn't really an alternative to C for low level things, which is what bothers me. It seems like an alternative language is the obvious solution to huge classes of security problems.

            ATS [ats-lang.org] looks interesting, they even have a paper on writing linux device drivers in ATS. Maybe the alternative will turn out to be ATS [ats-lang.org], or maybe BitC [bitc-lang.org], but it needs to hurry up and people need to start abandoning C/C++.

    • by Effugas (2378) * on Sunday March 22, 2009 @03:04PM (#27289747) Homepage

      Sup Goth, this *is* Dan.

      !exploitable isn't about finding bugs -- it's not a fuzzer, it's not a static analyzer, etc. It's about looking at a crash and saying, "Heh, this isn't just a Null Pointer Deref, you got EIP." Sure, that's obviously exploitable to you, but to some junior tester, that's not obvious at all.

      That's why it's a game changer. The dev writing the buggy code can't just say, meh, prove it's exploitable. Now the tester can point out the output of !exploitable and say, prove Microsoft is wrong. Shifts the burden of proof in the exact direction you'd want.

  • by Anonymous Coward on Sunday March 22, 2009 @10:55AM (#27287855)

    Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)

  • by Anonymous Coward on Sunday March 22, 2009 @10:57AM (#27287869)

    Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?

    • Re: (Score:3, Insightful)

      by Ken_g6 (775014)

      Naturally, that's an OOXML file that OpenOffice doesn't quite display properly. Outline view seems to be the best.

  • by rlanctot (310750) on Sunday March 22, 2009 @10:59AM (#27287883)

    Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...

  • ...or as i prefer to call it, "bang beca."

  • by Anonymous Coward on Sunday March 22, 2009 @11:18AM (#27287985)


    int assess_severity( struct* bug )
    {
        string vendor = get_application_vendor( bug );
        if ((vendor == "Google") ||
            (vendor == "Adobe") ||
            (vendor == "Mozilla"))
              return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
        else if (vendor == "Microsoft")
              return TRIVIAL_SECURITY_RISK;
        else
              return MODERATE_SECURITY_RISK;
    }

  • It's called Turing's halting problem.
    • by spydabyte (1032538) on Sunday March 22, 2009 @11:23AM (#27288019)
      That's proof that it can't always work. Not that it never works.
    • Re: (Score:3, Insightful)

      by MoralHazard (447833)

      Has anybody every told you "'Perfect' is the enemy of 'good enough'."? Perhaps after listening to you explain why your project is behind schedule, then sighing and face-palming?

      The halting problem says that there cannot be a GENERAL ALGORITHM that works in all cases, for any of the infinity of possible programs that can exist.

      That proves ZERO about, say, whether I can write an algorithm that covers 99% of the common cases. The lack of a general solution doesn't imply that it can't be done often enough, in

    • by aslate (675607)

      No, all it states is that it cannot prove the program is bug free. It can, however, keep running and finding as many bugs as possible.

      If you get to a stage where you don't find bugs after a long enough period of time, you've probably reached the limits of that particular testing method's ability to provide any useful data about the application. That or the bugs are now awkward to find and probably won't be found by the majority of user input either.

      On the halting problem basis, users will never find every b

  • Just wait till people get to see the code for this thing, then we'll see the true colors of their idea of security
  • I would be more impressed if they released a free and open static code analyzer to include for their compilers that may also compile to native code (e.g. Visual C++).

    That said, I'll be nice and applaud this effort. But if anywhere possible, use managed code (scripting or a secure VM) instead of relying on this kind of analysis. With this rate, it will take centuries to get rid of all the buffer overflows and other rather inexcusable code out there. I would be very amazed if this tool would (help to) remove

    • by LO0G (606364)

      It's not "free and open" but do you mean a source code analyzer like this one [microsoft.com] which is available in Visual Studio 2005?

  • So...let me get this straight...they're open sourcing their Windows code base?

    I'm here all week. The veal is amazing!

  • by formal_entity (778568) on Sunday March 22, 2009 @01:04PM (#27288651) Homepage
    It's a plugin to the windbg debugger. so that when it hits an access violation (which is MS speak for SIGSEG) you can do !expoitable and it will use some heuristics to guess whether this bug is an exploitable security vulnerability.

    Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.

    For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.

    Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.

    Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).

    So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.

    Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.

    I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.

  • Not that this is important, but was it really pronounced "bang exploitable" when it started its life? It sounds to me like some top brass (or a journalist) wanted to show off that they know how "!" was pronounced in old UNIX speak, but without a real understanding of what it meant. You know, as in, "I am one of you, but I have no idea what the hell I am talking about".

    • Re: (Score:2, Informative)

      by Curate (783077)
      There's nothing mysterious about the "bang exploitable" nomenclature. That's how all the windbg extensions are commonly called verbally... bang analyze (!analyze), bang process (!process), and so on. It's been that way for as long as I can recall.
      • by hwyhobo (1420503)
        Thanks for the explanation. In other words, the pronunciation of the "!" is preserved, but the meaning is different than the old "NOT". Is this just a Microsoft thing to use "!" for such extensions, or do other do it as well? I am not familiar with that convention.
        • by dbIII (701233)
          It's just like their convention to use "." at the start of a word and "net" for local applications.

          In other words, irrelevant bullshit but it's their stuff so they get to pick the name.

  • Did anyone else misread this (before reading the summary) as Microsoft is working on an automated program to find *security exploits in open-source projects*?

    Man, I had to readjust my tinfoil hat for a second there.

    --
    Toro

  • One of the CS professors here is working on a research project that seems to have a similar use, except it relies on binary analysis. http://bitblaze.cs.berkeley.edu/ [berkeley.edu] They also made a tool to automatically generate exploits based on Microsoft patches, and I guess they're just hoping that that capability doesn't fall into the wrong hands... Professor Song is scary.
  • by fireman sam (662213) on Sunday March 22, 2009 @05:11PM (#27291219) Homepage Journal

    #include <stdlib.h>
    #include <stdio.h>
    int main(int argc, char *argv[])
    {
    #ifdef WIN32
        fprintf(stderr, "Your system is not secure\n");
    #else
        fprintf(stderr, "Your system is not popular enough to be targetted, therefore it is secure\n");
    #endif

        return 0;
    }

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...