Skip to main content
MSRC

!exploitable Crash Analyzer Now Available

At BlueHat v8 in October 2008, Dave Weinstein, Jason Shirk and Lars Opstad presented the topic of when it’s okay to stop fuzzing (Fuzzed Enough? When It’s OK to Put the Shears Down). As part of that presentation, Dave talked about a technique used within Microsoft for triaging and categorizing crashes. By “Bucketizing” the crashes, developers and testers can quickly see how many actual crashes they are dealing with, and understand any security implications each crash may have.

Dave also announced that Microsoft would be releasing the tool publicly before the end of June 2009. Several days ago at CanSecWest, Dave and Jason presented the topic “Automated Real-time and Post Mortem Security Crash Analysis and Categorization.” They also released the !exploitable Crash Analyzer publicly, which is open source under the Microsoft Public License (MS-PL).

The tool performs two functions: it groups similar crashes together in order to cut down on looking at duplicates; and it assigns an exploitability classification of “Exploitable,” “Probably Exploitable,” “Probably Not Exploitable,” or “Unknown.”

This tool runs as an extension within the Windows Debugger (WinDbg.exe), called MSEC.dll. To run the tool while in the debugger, just type _!exploitable _and you’ll get something that looks like this:

blog

In releasing this tool publicly, we hope to help developers and testers working on windows platforms to manage their bugs more efficiently by understanding what’s a duplicate and what’s a security problem that may put users at risk.

Please visit http://www.microsoft.com/security/msec for more information, and a link to download the tool from CodePlex.

Enjoy, and Happy Fuzzing!

Jason Shirk, Microsoft Security Engineering Center

Share this post : [ ](«http://www.backflip.com/add_page_pop.ihtml?url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to backflip”) [ ](«http://www.blinkbits.com/bookmarklets/save.php?v=1&source_url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to blinkbits!”) [ ](«http://www.blogmemes.net/post.php?url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to blogmemes”) [ ](«http://buddymarks.com/s_add_bookmark.php?bookmark_url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&bookmark_title=!exploitable> Crash Analyzer Now Available> “Post it to buddymark”) [ ](«http://complore.com/?q=node/add/flexinode-5&url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to complore”) [ ](«http://del.icio.us/post?url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&;title=!exploitable> Crash Analyzer Now Available> “Post it to del.icio.us”) [ ](«http://de.lirio.us/bookmarks/sbmtool?action=add&address=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to del.iri.ous!”) [ ](«http://digg.com/submit?phase=2&url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to digg”) [ ](«http://www.dotnetkicks.com/kick/?url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to dotnetkicks”) [ ](«http://www.furl.net/store?s=f&to=0&u=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&ti=!exploitable> Crash Analyzer Now Available> “Post it to furl”) [ ](«https://favorites.live.com/quickadd.aspx?marklet=1&mkt=en-us&url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to live”) [ ](«http://ma.gnolia.com/bookmarklet/add?url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to magnolia!”) [ ](«http://netvouz.com/action/submitBookmark?url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to netvouz!”) [ ](«http://reddit.com/submit?url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to reddit!”) [ ](«http://www.shadows.com/bookmark/saveLink.rails?page=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to shadow”) [ ](«http://www.spurl.net/spurl.php?v=3&url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to spurl”) [ ](«http://technorati.com/faves/?add=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to technorati!”) [ ](«http://www.wists.com/?action=add&url=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&title=!exploitable> Crash Analyzer Now Available> “Post it to wists”) [ ](«http://myweb.yahoo.com/myresults/bookmarklet?u=http://blogs.technet.com/bluehat/archive/2009/04/01/exploitable-crash-analyzer-now-available.aspx&t=!exploitable> Crash Analyzer Now Available> “Post it to yahoo!”)

Related Posts