A Microsoft exploit expert has designed a prototype tool based on an experimental model to help more accurately determine exploitability of memory-safe vulnerabilities.
Security analysts currently have a tough job determining the threat level of those vulnerabilities because of the complexity of modern exploit-writing and the absence of a model on which consistent analysis can be based.
This led to an overestimation of risk, according to Matt Miller, a researcher with Microsoft's Security Engineering Center (MSEC).
In a technical presentation at the Breakpoint security event in Melbourne, Miller — a former Metasploit developer — said that 75 percent of recently reported memory-safe vulnerabilities in which an exploit was expected to surface within a month were overestimated: the exploits did not emerge.
“Estimation is largely manual and could be error-prone, inconsistent and hard to verify,” Miller said
“It's really hard to capture all the variabilities that affect exploitability."
He said analysts may be dissuaded from vulnerability disclosure if they disliked the current necessity for vendors to be either overly conservative in determining exploitability, or to produce a working exploit.
The latter requirement was problematic due to the complexity in exploit-writing which required professionals to maintain complex technical skills.
Miller's model built on generally accepted terminology of vulnerabilities and exploitability, and promised to help minimise the need for human input in the analysis of exploitability.
“The invariants of a vulnerability are specified using a structured and well-defined format that can be independently reviewed and verified. This specification then forms the initial state for an automata that provides an abstract representation of the primitives and techniques that facilitate or mitigate exploitation.”
It could also make risk management more effective, help determine a precise risk measure of exploitability between software versions, and help determine acceptable risk.
Using the model, developers would additionally have a better understanding of where to invest in defensive technologies in order to mitigate vulnerabilities most likely to be exploited, he said.
Miller aimed to release the tool through Microsoft once it is better developed and polished.
His presentation slides detailing the model will be available on the Breakpoint website soon.