BitBlaze tool boosts bug-hunting productivity 10-fold

Computerworld -Researchers and developers -- and for that matter, hackers -- can dramatically slash the time it takes to root out exploitable security vulnerabilities by using an open-source toolkit created at UC Berkeley, a noted bug hunter said today at Black Hat.

BitBlaze can cut the time required to identify a hackable bug from days or even weeks to just hours, said Charlie Miller, an analyst with Independent Security Evaluators (ISE), a Baltimore-based security consultancy. Miller presented his findings at the security conference that kicked off Wednesday in Las Vegas.

"It's not really hard to find bugs anymore," said Miller in an interview earlier this week as he prepared for Black Hat. "The problem is that we find all these crashes using fuzzing, but we don't know what to do with them. The hardest part is prioritizing them and the underlying vulnerability that caused the crash."

Miller was joined today at the Black Hat briefing by Noah Johnson, a computer science Ph.D. candidate at the University of California Berkeley. Johnson is part of a team at the school that developedBitBlaze, a multi-tool platform that automates malicious code analysis.

In some ways, the Miller-Johnson Black Hat talk was a follow-up to Miller's "fuzzing" work earlier in the year.

At the CanSecWest security conference in March, Miller demonstrated how he was able to findscores of possible bugsusing what he called a "dumb fuzzer," a concise tool that automatically searches for flaws in software by inserting data to see where a program failed. Fuzzing is a common technique used not only by outside researchers, but by developers to spot bugs before they release their software.

Miller, the only researcher to win the CanSecWest-hosted Pwn2Own hacking contestthree years running, created a stir at the conference when he refused to hand over what he'd found toApple, Adobe orMicrosoft. Instead, Miller said he wanted to show vendors how easy it was to uncover bugs, which he hoped would prompt them to do more fuzzing of their own.

"I logged more than 40 crashes in Adobe Reader, over 200 in Apple's Preview," said Miller of his fuzzing work earlier this year. "But the tool I was using then,Microsoft's "!exploitable"[pronounced 'bang exploitable'] said that six of those Adobe crashes were likely exploitable."

Half of the time, !exploitable told Miller it couldn't determine whether the crash could lead to exploitation. "In that way, it doesn't help at all," said Miller.