Focus on Apple
Announcing CrashWrangler Jul 08 2009 08:10PM
Drew Yao (ayao apple com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Apple recently released the new CrashWrangler tools to anyone with a
free ADC account, and is available at:

https://connect.apple.com/cgi-bin/WebObjects/MemberSite.woa/wa/getSoftwa
re?bundleID=20390

... or just look for it in the downloads section of http://connect.apple.com/
under Mac OS X.

CrashWrangler is a set of developer tools that help in creating and
debugging secure Mac OS X applications. The tools work by inspecting
the application's state at the time of the crash, as well as the
application crash logs. Using these tools on a reproducible test case
can determine if a crash could lead to a potentially exploitable
security issue, while providing valuable data to fix these issues.
Additionally, any crash log can be inspected to determine if it is a
duplicate of a known crash. The CrashWrangler tools support Mac OS X
10.5 or later.

It should be understood that CrashWrangler uses advanced heuristics,
but that false positives and false negatives are possible. It's
intended for quick assessment. As always, a detailed manual
inspection is the only way to be sure something is or isn't exploitable.

The basic algorithm for determining exploitability looks like this.

Exploitable if:
Crash on write instruction
Crash executing invalid address
Crash calling an invalid address
Crash accessing an uninitialized or freed pointer as indicated by
using the MallocScribble environment variable
Illegal instruction exception
Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption
detected
Stack trace of crashing thread contains certain functions such as
malloc, free, szone_error, objc_MsgSend, etc.

Not exploitable if:
Divide by zero exception
Stack grows too large due to recursion
Null dereference
Other abort
Crash on read instruction

If a crash is determined to be non-exploitable, it's recommended to
run the test case again with libgmalloc(3) on with MALLOC_ALLOW_READS
and MALLOC_FILL_SPACE set, and see if the crash changes to one that is
considered to be exploitable.

CrashWrangler does not send any data about your crash to Apple or
anyone else. Note that it does forward the information about the
crash to CrashReporter, which is part of the OS, and as always it will
send info to Apple if and only if you click the "Send to Apple" button
in the Crash Reporter dialog.

Drew Yao
Apple Product Security
PGP key at https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQEcBAEBAgAGBQJKVPvyAAoJEHkodeiKZIkB6noIALzqIdAZi7K9bFHwN20lH28Z
HpjePhTPf6a+B2eOkB8/TmZqFGN6A7wGLzTNfCJJHrYQ3E/r2grDznBxqOCqSs7F
EvVk3AHkkW3kvUTpzo3kxOQYJtLB2Le1tvAicIlvSOgaep7JDYXVS97znETWGpGC
ewHCNgcF7exKAWlqReJcy4GH2TPgs1p36WRPfZ2lpwN2K5z1MsPq9BRzvsP0udCc
0OWDrQeI6L2FcTqVzfG8q5YTrXqKius8veMQIrp5lc33rAgQwZSTfagR6rZ30RKM
7d593tDlKOmW6uvwO7JvWMriDtJR+rVmzPr6uSK4H/k5oT6HlB0U/2M/aK2V7+A=
=9zg8
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus