Dailydave mailing list archives
Announcing CrashWrangler
From: Drew Yao <ayao () apple com>
Date: Wed, 8 Jul 2009 13:10:03 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Apple recently released the new CrashWrangler tools to anyone with a free ADC account, and is available at: https://connect.apple.com/cgi-bin/WebObjects/MemberSite.woa/wa/getSoftware?bundleID=20390 ... or just look for it in the downloads section of http://connect.apple.com/ under Mac OS X. CrashWrangler is a set of developer tools that help in creating and debugging secure Mac OS X applications. The tools work by inspecting the application's state at the time of the crash, as well as the application crash logs. Using these tools on a reproducible test case can determine if a crash could lead to a potentially exploitable security issue, while providing valuable data to fix these issues. Additionally, any crash log can be inspected to determine if it is a duplicate of a known crash. The CrashWrangler tools support Mac OS X 10.5 or later. It should be understood that CrashWrangler uses advanced heuristics, but that false positives and false negatives are possible. It's intended for quick assessment. As always, a detailed manual inspection is the only way to be sure something is or isn't exploitable. The basic algorithm for determining exploitability looks like this. Exploitable if: Crash on write instruction Crash executing invalid address Crash calling an invalid address Crash accessing an uninitialized or freed pointer as indicated by using the MallocScribble environment variable Illegal instruction exception Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption detected Stack trace of crashing thread contains certain functions such as malloc, free, szone_error, objc_MsgSend, etc. Not exploitable if: Divide by zero exception Stack grows too large due to recursion Null dereference Other abort Crash on read instruction If a crash is determined to be non-exploitable, it's recommended to run the test case again with libgmalloc(3) on with MALLOC_ALLOW_READS and MALLOC_FILL_SPACE set, and see if the crash changes to one that is considered to be exploitable. CrashWrangler does not send any data about your crash to Apple or anyone else. Note that it does forward the information about the crash to CrashReporter, which is part of the OS, and as always it will send info to Apple if and only if you click the "Send to Apple" button in the Crash Reporter dialog. Drew Yao Apple Product Security PGP key at https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQEcBAEBAgAGBQJKVPvyAAoJEHkodeiKZIkB6noIALzqIdAZi7K9bFHwN20lH28Z HpjePhTPf6a+B2eOkB8/TmZqFGN6A7wGLzTNfCJJHrYQ3E/r2grDznBxqOCqSs7F EvVk3AHkkW3kvUTpzo3kxOQYJtLB2Le1tvAicIlvSOgaep7JDYXVS97znETWGpGC ewHCNgcF7exKAWlqReJcy4GH2TPgs1p36WRPfZ2lpwN2K5z1MsPq9BRzvsP0udCc 0OWDrQeI6L2FcTqVzfG8q5YTrXqKius8veMQIrp5lc33rAgQwZSTfagR6rZ30RKM 7d593tDlKOmW6uvwO7JvWMriDtJR+rVmzPr6uSK4H/k5oT6HlB0U/2M/aK2V7+A= =9zg8 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Announcing CrashWrangler Drew Yao (Jul 09)