Focus on Apple
Announcing CrashWrangler Jul 08 2009 08:10PM
Drew Yao (ayao apple com)
Hash: SHA1


Apple recently released the new CrashWrangler tools to anyone with a
free ADC account, and is available at:

... or just look for it in the downloads section of
under Mac OS X.

CrashWrangler is a set of developer tools that help in creating and
debugging secure Mac OS X applications. The tools work by inspecting
the application's state at the time of the crash, as well as the
application crash logs. Using these tools on a reproducible test case
can determine if a crash could lead to a potentially exploitable
security issue, while providing valuable data to fix these issues.
Additionally, any crash log can be inspected to determine if it is a
duplicate of a known crash. The CrashWrangler tools support Mac OS X
10.5 or later.

It should be understood that CrashWrangler uses advanced heuristics,
but that false positives and false negatives are possible. It's
intended for quick assessment. As always, a detailed manual
inspection is the only way to be sure something is or isn't exploitable.

The basic algorithm for determining exploitability looks like this.

Exploitable if:
Crash on write instruction
Crash executing invalid address
Crash calling an invalid address
Crash accessing an uninitialized or freed pointer as indicated by
using the MallocScribble environment variable
Illegal instruction exception
Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption
Stack trace of crashing thread contains certain functions such as
malloc, free, szone_error, objc_MsgSend, etc.

Not exploitable if:
Divide by zero exception
Stack grows too large due to recursion
Null dereference
Other abort
Crash on read instruction

If a crash is determined to be non-exploitable, it's recommended to
run the test case again with libgmalloc(3) on with MALLOC_ALLOW_READS
and MALLOC_FILL_SPACE set, and see if the crash changes to one that is
considered to be exploitable.

CrashWrangler does not send any data about your crash to Apple or
anyone else. Note that it does forward the information about the
crash to CrashReporter, which is part of the OS, and as always it will
send info to Apple if and only if you click the "Send to Apple" button
in the Crash Reporter dialog.

Drew Yao
Apple Product Security
PGP key at
Version: GnuPG v1.4.9 (Darwin)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus