New Microsoft Tool Analyzes Memory Corruption Bugs
5.10.2017 securityweek Forensics
A newly released analysis tool from Microsoft helps security engineers and developers investigate memory corruption bugs.
Called VulnScan, the tool has been designed and developed by the Microsoft Security Response Center (MSRC) to help determine the vulnerability type and root cause of memory corruption flaws. The utility was built on top of two internally developed tools, namely Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD), the tech giant says.
WinDbg was created as a Windows debugger that has recently received a user interface makeover, while Time Travel Debugging is an internally developed framework designed to record and replay execution of Windows applications.
“By leveraging WinDbg and TTD, VulnScan is able to automatically deduce the root cause of the most common types of memory corruption issues. Application Verifier’s mechanism called PageHeap is used to trigger an access violation closer to the root cause of the issue,” Mateusz Krzywicki from MSRC explains.
The tool begins the analysis process from the crash location then progresses to determine the root cause. VulnScan includes support for five different classes of memory corruption issues, namely Out of bounds read/write, Use after free, Type confusion, Uninitialized memory use, and Null/constant pointer dereference.
According to Krzywicki, the tool can also detect integer overflows and underflows, along with basic out of bounds accesses caused by a bad loop counter value. Use-after-free bugs can be detected even without PageHeap enabled.
MSRC already makes use of the new tool as part of their automation framework called Sonar, which was designed to process externally reported proof of concept files. The platform can both reproduce issues and perform root cause analysis by employing multiple different environments.
Microsoft also plans on including VulnScan in the Microsoft Security Risk Detection service (Project Springfield). As part of this service, it will be used to de-duplicate crashes and provide extended analysis of vulnerabilities found through fuzzing.
“Over a 10-month period where VulnScan was used to triage all memory corruption issues for Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products. It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers,” Krzywicki says.
The tool uses multi-branch taint analysis, meaning that it can sequentially track all values obtained from a single instruction. VulnScan also features a queue of registers and memory addresses associated with specific positions in the execution timeline and performs taint analysis separately for each branch, so that application data flow could be recreated in full.