Announcing CrashWrangler

[Drew Yao <ayao () apple com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Apple recently released the new CrashWrangler tools to anyone with a  
free ADC account, and is available at:

        https://connect.apple.com/cgi-bin/WebObjects/MemberSite.woa/wa/getSoftware?bundleID=20390

... or just look for it in the downloads section of http://connect.apple.com/ 
  under Mac OS X.

CrashWrangler is a set of developer tools that help in creating and  
debugging secure Mac OS X applications.  The tools work by inspecting  
the application's state at the time of the crash, as well as the  
application crash logs.  Using these tools on a reproducible test case  
can determine if a crash could lead to a potentially exploitable  
security issue, while providing valuable data to fix these issues.   
Additionally, any crash log can be inspected to determine if it is a  
duplicate of a known crash. The CrashWrangler tools support Mac OS X  
10.5 or later.

It should be understood that CrashWrangler uses advanced heuristics,  
but that false positives and false negatives are possible.  It's  
intended for quick assessment.  As always, a detailed manual  
inspection is the only way to be sure something is or isn't exploitable.

The basic algorithm for determining exploitability looks like this.

Exploitable if:
        Crash on write instruction
        Crash executing invalid address
        Crash calling an invalid address
        Crash accessing an uninitialized or freed pointer as indicated by  
using the MallocScribble environment variable
        Illegal instruction exception
        Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption  
detected
        Stack trace of crashing thread contains certain functions such as  
malloc, free, szone_error, objc_MsgSend, etc.
        
Not exploitable if:
        Divide by zero exception
        Stack grows too large due to recursion
        Null dereference
        Other abort
        Crash on read instruction

If a crash is determined to be non-exploitable, it's recommended to  
run the test case again with libgmalloc(3) on with MALLOC_ALLOW_READS  
and MALLOC_FILL_SPACE set, and see if the crash changes to one that is  
considered to be exploitable.

CrashWrangler does not send any data about your crash to Apple or  
anyone else.  Note that it does forward the information about the  
crash to CrashReporter, which is part of the OS, and as always it will  
send info to Apple if and only if you click the "Send to Apple" button  
in the Crash Reporter dialog.

Drew Yao
Apple Product Security
PGP key at https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQEcBAEBAgAGBQJKVPvyAAoJEHkodeiKZIkB6noIALzqIdAZi7K9bFHwN20lH28Z
HpjePhTPf6a+B2eOkB8/TmZqFGN6A7wGLzTNfCJJHrYQ3E/r2grDznBxqOCqSs7F
EvVk3AHkkW3kvUTpzo3kxOQYJtLB2Le1tvAicIlvSOgaep7JDYXVS97znETWGpGC
ewHCNgcF7exKAWlqReJcy4GH2TPgs1p36WRPfZ2lpwN2K5z1MsPq9BRzvsP0udCc
0OWDrQeI6L2FcTqVzfG8q5YTrXqKius8veMQIrp5lc33rAgQwZSTfagR6rZ30RKM
7d593tDlKOmW6uvwO7JvWMriDtJR+rVmzPr6uSK4H/k5oT6HlB0U/2M/aK2V7+A=
=9zg8
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave