Researchers and developers - and hackers - can dramatically slash the time it takes to root out exploitable security vulnerabilities by using an open-source toolkit created at UC Berkeley, noted bug hunter Charlie Miller said at Black Hat.
BitBlaze can cut the time required to identify a hackable bug from days or even weeks to just hours, said Charlie Miller, an analyst with Independent Security Evaluators (ISE), a Baltimore-based security consultancy. Miller presented his findings at the security conference that kicked off Wednesday in Las Vegas.
"It's not really hard to find bugs anymore," said Miller in an interview last week as he prepared for Black Hat. "The problem is that we find all these crashes using fuzzing, but we don't know what to do with them. The hardest part is prioritizing them and the underlying vulnerability that caused the crash."
Miller was joined today at the Black Hat briefing by Noah Johnson, a computer science Ph.D. candidate at the University of California Berkeley. Johnson is part of a team at the school that developed BitBlaze , a multi-tool platform that automates malicious code analysis.
In some ways, the Miller-Johnson Black Hat talk was a follow-up to Miller's "fuzzing" work earlier in the year.
At the CanSecWest security conference in March, Miller demonstrated how he was able to find scores of possible bugs using what he called a "dumb fuzzer," a concise tool that automatically searches for flaws in software by inserting data to see where a program failed. Fuzzing is a common technique used not only by outside researchers, but by developers to spot bugs before they release their software.
Miller, the only researcher to win the CanSecWest-hosted Pwn2Own hacking contest three years running , created a stir at the conference when he refused to hand over what he'd found to Apple , Adobe or Microsoft . Instead, Miller said he wanted to show vendors how easy it was to uncover bugs, which he hoped would prompt them to do more fuzzing of their own.
"I logged more than 40 crashes in Adobe Reader, over 200 in Apple's Preview," said Miller of his fuzzing work earlier this year. "But the tool I was using then, Microsoft's "!exploitable" [pronounced 'bang exploitable'] said that six of those Adobe crashes were likely exploitable."
Half of the time, !exploitable told Miller it couldn't determine whether the crash could lead to exploitation. "In that way, it doesn't help at all," said Miller.
To verify whether a !exploitable-identified flaw could be attacked, and more importantly, to determine where in the code the flaw lay and how it could be exploited, would take time that Miller didn't have. "I didn't have the time to look at them manually," he said. "It would take at least a day, maybe a week, to examine each of those [six suspicious] crashes in Reader."
But by using BitBlaze -- which was recommended to him by Microsoft researcher David Molnar -- Miller was able to analyze the faulty code in hours, not days or weeks.
"I used the generic binary mapping tool in BitBlaze to look at the good file and the bad file," said Miller, referring to his fuzzing-produced version as the "bad" file. "I ran both those files and turned on tracing, which records every instruction and how data flows through the file. It doesn't spit out an exploit, of course, but it lets you trace the problem [that generated the crash]."
With BitBlaze, Miller was quickly able to identify four critical vulnerabilities in Microsoft Word from his collection of 60-some fuzzing-produced crash reports.
Once BitBlaze pinpoints a vulnerability, a researcher can then start to work on an exploit that will trigger the bug.
Although the implications to security researchers are obvious -- they will be able to crank up their production of vulnerability discoveries -- Miller also argued that developers should be using BitBlaze, too.
"Developers can use BitBlaze to more quickly figure out what made their programs crash," he said. "If you were finding 10 bugs a month before, you'll be able to find 100 a month with BitBlaze."
Finding bugs isn't the tough part of a researcher's or developer's job -- not with the kind of results fuzzing provides, said Miller. "Now, it's which crashes are the most serious ones, and which are actually exploitable," he said.
"With BitBlaze, you can [cut] the time you spend figuring out what's going on from a week to a few hours," Miller said.