News

Microsoft To Release Open Source Security App

To help developers identify mechanisms that lead to system crashes or have other security implications, Microsoft will unveil its !exploitable (pronounced "bang exploitable") Crash Analyzer on Friday at the CanSecWest conference in Vancouver. The open source tool will be available as a free download at the Microsoft Security Engineering Center's Web site.

The tool is designed to help developers classify, assess and ultimately prevent program crashes, especially as they relate to exploits running loose in enterprise processing environments.

!exploitable is a plug-in for the Windows debugger that classifies different crash scenarios, grouping them into what it calls "hashes." Based on information discovered on "major" and "minor" hashes, the tool isolates crashes and correlates them with bugs to determine the frequency of bug-related crashes or shutdowns caused by the same exploit.

The tool is also diagnostic in the sense that it can estimate the exploitability of any given vulnerability with a rating system that ranges from "Exploitable," "Probably Exploitable," "Possibly Exploitable" and "Unknown."

Observers tout the tool's release as useful because it helps reduce the attack surface of the whole enterprise stack, not just Microsoft's own software.

"As a tool, it can save developers time and effort," said Roger Kay, president of Endpoint Technologies Associates Inc. "A number of apparently different crashes can actually be caused by the same code. The analyzer isolates the offending block and essentially says, 'Here, all these different crashes are actually the same failure, and it's an important one that you ought to fix right away because it presents an open attack surface,' or 'This other one isn't harmful, so then you can fix it when you have time.'"

!exploitable is the latest bell-and-whistle technology designed to drive home the concept of a security development lifecycle (SDL) to Microsoft technology partners and Windows enterprise professionals. Under SDL, security would be both an integral and integrated part of application development in non-Windows and Windows processing stacks alike. The goal is to put the onus on development managers and IT policy makers to create benchmarks and criteria for reducing IT risk.

"You can measure functionality, dependability and viability in any environment, but security is a bit more difficult to track over time," said Dan Kaminsky, director of penetration testing at security firm IOActive Inc. "What Bang Exploitable does is create a scenario that is asymmetrically better for the good guys. It answers the question of how you release tools without actually helping the attackers."

Furthermore, Kaminsky said, the tool's ease of use will be a boon for non-security personnel and junior developers and testers, giving them the leeway to paint various scenarios of what could happen so that it doesn't.

"We know for sure that at one point or another, a system is going to crash," Kaminsky said. "But I think having the weight of a Microsoft behind you and being able to say, hey, we know this was an operational thing and not a security thing or the other way around is a positive step for the whole IT ecosystem."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Cloud Services Use on the Rise But Security Concerns Remain

    A recently published industry report suggested that use of public cloud services by organizations may nearly double in the next two years.

  • OneDrive Users To Get Storage Options, Plus New Personal Vault

    Microsoft announced a few OneDrive enhancements, including storage-option additions, plus a new "Personal Vault" feature for added security assurance.

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.