The general crash report contains hidden information that could be worth its weight in gold to security experts, according to security researcher and CEO of DoubleYou Patrick Wardle, who took the stage at the BlackHat USA 2024 conference to preach the virtues of crash analysis.
“From these reports, we can extract a ton of information that can help us detect malware, bugs and much more,” Wardle told Black Hat attendees.
(For current Black Hat USA coverage from SC Media, Security Weekly, and CyberRisk TV, visit our Black Hat USA 2024 coverage spotlight page.)
Known for his work in Mac OS security research and tool development, Wardle believes there are many sectors and roles in the security field that can gain valuable information from reports, whether good or bad.
The positive thing is that major vendors now have the ability to detect zero-day exploits in their products.
Wardle explained that automated exploits often rely on specific conditions that have a relatively low success rate, and therefore often cause crashes. By analyzing these reports, vendors can identify when an application is being instructed to do something unusual.
Likewise, security researchers can use crash reports to detect malware payloads that signature detection misses. Wardle said that malware authors generally tend to code sloppily or inexperienced, so their software crashes frequently. Experienced researchers can trace the detailed information in the crash report to find out exactly what caused that crash, revealing the hidden malware.
But while less pleasant, crash reports can provide attackers with useful information. In some cases, attackers can read crash reports to identify a possible memory overflow or other vulnerability that could be exploited for a remote takeover.
Even state-sponsored actors have gotten in on the game. Wardle pointed to a recent report that caught the NSA collecting crash reports for its own purposes.
“These reports contained very specific information about the crashed system,” he explained.
“This could provide useful information about how to exploit a system.”
Perhaps the most notable example of this tactic being used in practice was the CrowdStrike crash fiasco, where the crash reports proved extremely valuable in shifting blame for the problem from Microsoft to the security vendor.
Wardle himself was one of the first to absolve Microsoft of blame when he was able to use a crash report to determine the cause of the problem: a faulty update to CrowdStrike’s own security tools that caused the Windows kernel to crash.
“After receiving a crash report, we were able to quickly determine that this was not a Microsoft bug at all, but a CrowdStrike crash,” Wardle said.
“In my opinion, they are super important because in some cases they are the absolute truth.”
(For current Black Hat USA coverage from SC Media, Security Weekly, and CyberRisk TV, visit our Black Hat USA 2024 coverage spotlight page.)