Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Microsoft Tool Analyzes Memory Corruption Bugs

A newly released analysis tool from Microsoft helps security engineers and developers investigate memory corruption bugs.

A newly released analysis tool from Microsoft helps security engineers and developers investigate memory corruption bugs.

Called VulnScan, the tool has been designed and developed by the Microsoft Security Response Center (MSRC) to help determine the vulnerability type and root cause of memory corruption flaws. The utility was built on top of two internally developed tools, namely Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD), the tech giant says.

WinDbg was created as a Windows debugger that has recently received a user interface makeover, while Time Travel Debugging is an internally developed framework designed to record and replay execution of Windows applications.

“By leveraging WinDbg and TTD, VulnScan is able to automatically deduce the root cause of the most common types of memory corruption issues. Application Verifier’s mechanism called PageHeap is used to trigger an access violation closer to the root cause of the issue,” Mateusz Krzywicki from MSRC explains.

The tool begins the analysis process from the crash location then progresses to determine the root cause. VulnScan includes support for five different classes of memory corruption issues, namely Out of bounds read/write, Use after free, Type confusion, Uninitialized memory use, and Null/constant pointer dereference.

According to Krzywicki, the tool can also detect integer overflows and underflows, along with basic out of bounds accesses caused by a bad loop counter value. Use-after-free bugs can be detected even without PageHeap enabled.

MSRC already makes use of the new tool as part of their automation framework called Sonar, which was designed to process externally reported proof of concept files. The platform can both reproduce issues and perform root cause analysis by employing multiple different environments.

Microsoft also plans on including VulnScan in the Microsoft Security Risk Detection service (Project Springfield). As part of this service, it will be used to de-duplicate crashes and provide extended analysis of vulnerabilities found through fuzzing.

“Over a 10-month period where VulnScan was used to triage all memory corruption issues for Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products. It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers,” Krzywicki says.

The tool uses multi-branch taint analysis, meaning that it can sequentially track all values obtained from a single instruction. VulnScan also features a queue of registers and memory addresses associated with specific positions in the execution timeline and performs taint analysis separately for each branch, so that application data flow could be recreated in full.

Related: Microsoft Launches Windows Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.