A newly released analysis tool from Microsoft helps security engineers and developers investigate memory corruption bugs.
Called VulnScan, the tool has been designed and developed by the Microsoft Security Response Center (MSRC) to help determine the vulnerability type and root cause of memory corruption flaws. The utility was built on top of two internally developed tools, namely Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD), the tech giant says.
WinDbg was created as a Windows debugger that has recently received a user interface makeover, while Time Travel Debugging is an internally developed framework designed to record and replay execution of Windows applications.
“By leveraging WinDbg and TTD, VulnScan is able to automatically deduce the root cause of the most common types of memory corruption issues. Application Verifier’s mechanism called PageHeap is used to trigger an access violation closer to the root cause of the issue,” Mateusz Krzywicki from MSRC explains.
The tool begins the analysis process from the crash location then progresses to determine the root cause. VulnScan includes support for five different classes of memory corruption issues, namely Out of bounds read/write, Use after free, Type confusion, Uninitialized memory use, and Null/constant pointer dereference.
According to Krzywicki, the tool can also detect integer overflows and underflows, along with basic out of bounds accesses caused by a bad loop counter value. Use-after-free bugs can be detected even without PageHeap enabled.
MSRC already makes use of the new tool as part of their automation framework called Sonar, which was designed to process externally reported proof of concept files. The platform can both reproduce issues and perform root cause analysis by employing multiple different environments.
Microsoft also plans on including VulnScan in the Microsoft Security Risk Detection service (Project Springfield). As part of this service, it will be used to de-duplicate crashes and provide extended analysis of vulnerabilities found through fuzzing.
“Over a 10-month period where VulnScan was used to triage all memory corruption issues for Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products. It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers,” Krzywicki says.
The tool uses multi-branch taint analysis, meaning that it can sequentially track all values obtained from a single instruction. VulnScan also features a queue of registers and memory addresses associated with specific positions in the execution timeline and performs taint analysis separately for each branch, so that application data flow could be recreated in full.

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
