The common crash report contains hidden information that could be golden for security professionals, according to security researcher and DoubleYou CEO Patrick Wardle, who took the stage at the 2024 BlackHat USA conference to preach the virtues of crash analysis.
“From these reports we can extract a myriad of information that will allow us to extract malware, bugs, and much more,” Wardle told Black Hat attendees.
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
According to Wardle, who has gained fame for his work in the Mac OS security research and tool development spaces, there are any number of sectors and roles in the security field that will be able to obtain valuable information from reports, both good and bad.
On the good, there is the ability for large vendors to spot zero day exploits on their products in the wild.
Wardle explained that because automated exploits can often rely on specific conditions that create a fairly low rate of success, they will often cause crashes. Analysis of those reports can and has allowed vendors to spot when an application is being instructed to do something out of the ordinary.
Likewise, security researchers can and do use crash reports as a way to spot malware payloads that signature detection misses. Wardle said that because malware writers as a whole tend to be sloppy or inexperienced coders, their software will often crash. Savvy researchers are able to trace back the detailed information in the crash report to see exactly what caused that crash, revealing the covert malware.
On the less savory side of things, crash reports can also provide useful information to attackers. In some cases, attackers will be able to read crash reports to spot a potential memory overflow flaw or another vulnerability which could be exploited to allow for remote takeover.
Even state-sponsored actors have gotten into the game. Wardle noted a recent report in which the NSA was caught harvesting crash reports for its own use.
“These reports had very specific information about the system that crashed,” he explained.
“This could provide useful information on how to exploit a system.”
Perhaps the most notable example of real-world use of this tactic was the CrowdStrike crash fiasco, in which crash reports proved invaluable in swaying the blame for the issue from Microsoft to the security vendor.
Wardle himself was among the first to absolve Microsoft of the blame when he was able to use a crash report to suss out the source of the problem: a faulty update to CrowdStrike’s own security tools that lead to a Windows kernel crash.
“Once we got a crash report we could quickly see this was not a Microsoft bug at all, but CrowdStrike crashing,” Wardle said.
“In my opinion they are super important because in some instances they are the absolute truth.”
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
