VANCOUVER, B.C. Aiming to better identify bugs that could lead to security issues, Microsoft announced on Wednesday that it planned to release a tool to help developers classify and assess program crashes.
The tool, known as !exploitable and pronounced "bang exploitable," is a plugin for the Windows debugger that categorizes crash information using two hashes, members of Microsoft's Security Science group told SecurityFocus in a briefing. Using the hashes, which Microsoft called major and minor hashes, the tool can group crashes that are caused by the same bug, even if the program executed in different ways to produce the crashes. The tool also estimates the exploitability of the vulnerability, rating them as Exploitable, Probably Exploitable, Possibly Exploitable, and Unknown.
"It helps to define what exploitability means among researchers," said Jason Shirk, Microsoft's program manager for fuzzing technology. "It's saying, how do we want to talk about these things, so we are sure we are talking about the same thing."
The program is the latest software tool that Microsoft has released to help third-party developers better secure their software. In 2006, the company announced it had added three security features to Vista: address space layout randomization (ASLR), data execution protection (DEP) and kernel patch protection. In 2002, Microsoft released new versions of Visual C++ development platforms, which included an anti-buffer-overflow feature known as the GS flag. On Wednesday, Microsoft also announced that it would be improving the GS flag technology in Visual Studio 2010, allowing it to protect against integer overflows and database array overflows.
To demonstrate the usefulness of the !exploitable program, Microsoft's Security Science group asked internal testing groups to run four different fuzzers against a recently acquired software program. The !exploitable tool identified 15 security issues among the 57 different crashes produced by the fuzzers and classified only one issue Exploitable.
"Internally, if someone comes across someting that is Exploitable or Probably Exploitable, then they have no choice, it has to be fixed," said Shirk said.
Microsoft plans to release the tool at the CanSecWest conference on Friday after a presentation to attendees on the technology.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos