Microsoft To Release Open Source Security App
- By Jabulani Leffall
- March 20, 2009
To help developers identify mechanisms that lead to system crashes or have other security implications, Microsoft will unveil its !exploitable (pronounced "bang exploitable") Crash Analyzer on Friday at the CanSecWest conference in Vancouver. The open source tool will be available as a free download at the Microsoft Security Engineering Center's Web site
The tool is designed to help developers classify, assess and ultimately prevent program crashes, especially as they relate to exploits running loose in enterprise processing environments.
!exploitable is a plug-in for the Windows debugger that classifies different crash scenarios, grouping them into what it calls "hashes." Based on information discovered on "major" and "minor" hashes, the tool isolates crashes and correlates them with bugs to determine the frequency of bug-related crashes or shutdowns caused by the same exploit.
The tool is also diagnostic in the sense that it can estimate the exploitability of any given vulnerability with a rating system that ranges from "Exploitable," "Probably Exploitable," "Possibly Exploitable" and "Unknown."
Observers tout the tool's release as useful because it helps reduce the attack surface of the whole enterprise stack, not just Microsoft's own software.
"As a tool, it can save developers time and effort," said Roger Kay, president of Endpoint Technologies Associates Inc. "A number of apparently different crashes can actually be caused by the same code. The analyzer isolates the offending block and essentially says, 'Here, all these different crashes are actually the same failure, and it's an important one that you ought to fix right away because it presents an open attack surface,' or 'This other one isn't harmful, so then you can fix it when you have time.'"
!exploitable is the latest bell-and-whistle technology designed to drive home the concept of a security development lifecycle (SDL) to Microsoft technology partners and Windows enterprise professionals. Under SDL, security would be both an integral and integrated part of application development in non-Windows and Windows processing stacks alike. The goal is to put the onus on development managers and IT policy makers to create benchmarks and criteria for reducing IT risk.
"You can measure functionality, dependability and viability in any environment, but security is a bit more difficult to track over time," said Dan Kaminsky, director of penetration testing at security firm IOActive Inc. "What Bang Exploitable does is create a scenario that is asymmetrically better for the good guys. It answers the question of how you release tools without actually helping the attackers."
Furthermore, Kaminsky said, the tool's ease of use will be a boon for non-security personnel and junior developers and testers, giving them the leeway to paint various scenarios of what could happen so that it doesn't.
"We know for sure that at one point or another, a system is going to crash," Kaminsky said. "But I think having the weight of a Microsoft behind you and being able to say, hey, we know this was an operational thing and not a security thing or the other way around is a positive step for the whole IT ecosystem."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.