At BlueHat v8 in October 2008, Dave Weinstein, Jason Shirk and Lars Opstad presented the topic of when it’s okay to stop fuzzing (Fuzzed Enough? When It’s OK to Put the Shears Down). As part of that presentation, Dave talked about a technique used within Microsoft for triaging and categorizing crashes. By “Bucketizing” the crashes, developers and testers can quickly see how many actual crashes they are dealing with, and understand any security implications each crash may have.
Dave also announced that Microsoft would be releasing the tool publicly before the end of June 2009. Several days ago at CanSecWest, Dave and Jason presented the topic “Automated Real-time and Post Mortem Security Crash Analysis and Categorization.” They also released the !exploitable Crash Analyzer publicly, which is open source under the Microsoft Public License (MS-PL).
The tool performs two functions: it groups similar crashes together in order to cut down on looking at duplicates; and it assigns an exploitability classification of “Exploitable,” “Probably Exploitable,” “Probably Not Exploitable,” or “Unknown.”
This tool runs as an extension within the Windows Debugger (WinDbg.exe), called MSEC.dll. To run the tool while in the debugger, just type _!exploitable _and you’ll get something that looks like this:
In releasing this tool publicly, we hope to help developers and testers working on windows platforms to manage their bugs more efficiently by understanding what’s a duplicate and what’s a security problem that may put users at risk.
Enjoy, and Happy Fuzzing!
Jason Shirk, Microsoft Security Engineering Center