Microsoft Corporation released a new tool which helps security specialists to analyze memory corruption bugs. The tool is called VulnScan and it was created by the Microsoft Security Response Center (MSRC) to determine the vulnerability type and the root cause of memory corruption flaws.
According to Microsoft, the utility was built on top of two internally developed tools – Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD).
The WinDbg tool was designed as a Windows debugger which has received a user interface makeover a while ago, and Time Travel Debugging is an internally developed framework created for recording and replaying execution of Windows apps.
“By leveraging WinDbg and TTD, VulnScan is able to automatically deduce the root cause of the most common types of memory corruption issues. Application Verifier’s mechanism called PageHeap is used to trigger an access violation closer to the root cause of the issue,” Mateusz Krzywicki says.
The VulnScan tool starts the analysis process from the crash location and determines the root cause after that.
The tool features support for five classes of memory corruption issues – Out of bounds read/write, Use after free, Type confusion, Uninitialized memory use, and Null/constant pointer dereference.
Mateusz Krzywicki claims that VulnScan can also detect integer overflows and underflows, alongside the basic out of bounds accesses caused by a bad loop counter value. While use-after-free bugs can be detected even without enabling PageHeap.
MSRC already uses the VulnScan tool as part of their automation Sonar framework, which was created to process externally reported proof of concept files. The platform can reproduce issues and perform root cause analysis by employing multiple different environments.
Microsoft Corporation plans to include the VulnScan tool in their new Security Risk Detection service (Project Springfield). As part of the service, the tool will be used to de-duplicate crashes and provide extended analysis of vulnerabilities found through fuzzing.
“Over a 10-month period where VulnScan was used to triage all memory corruption issues for Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products. It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers,” Krzywicki explains.