VulnScan report

Microsoft announced yesterday a new tool that automates the process of detecting the root cause of memory corruption issues.

Called VulnScan, the tool will be part of Microsoft Security Risk Detection, a cloud service that allows users and companies to upload a version of their app and have it automatically tested on a wide variety of Windows or Linux platforms.

VulnScan is only the latest addition to the Microsoft Security Risk Detection service that is currently in beta, after being launched in September 2016, then named Project Springfield [1, 2].

VulnScan is for detecting the root cause of memory bugs

Most of the tools and features included with the Microsoft Security Risk Detection platform work using a technique called fuzzing, which takes an app, feeds random input values and watches for abnormalities in the app's output to detect possible vulnerabilities.

Most of the bugs found during fuzz testing are memory-related issues. VulnScan comes to complete this process, being a tool "to help security engineers and developers determine the vulnerability type and root cause of memory corruption bugs." VulnScan works by producing reports like these.

Microsoft says VulnScan can find the root cause of the following memory corruption bug types: out of bounds read/write, use after free, type confusion, uninitialized memory use, and null/constant pointer dereference.

Under the hood, VulnScan is built on two other Microsoft tools — Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD).

Microsoft says it's been using VulnScan internally for over ten months to triage memory corruption issues found and reported in Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products.

"It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers," said Mateusz Krzywicki from Microsoft Security Response Center UK.

VulnScan available only via Microsoft Security Risk Detection

Developers and organizations can sign-up for the Microsoft Security Risk Detection service beta and test the new tool for free before the service launches, most likely under a hefty paid subscription.

While Microsoft is keeping the VulnScan and the Microsoft Security Risk Detection platform close to the chest, Google has been open-sourcing most of its fuzz testing tools.

The company's engineers have previously released tools such as Domato, OSS-Fuzz, and syzkaller. Other open source tools for identifying the cause of application bugs include BugId, which also produces similar HTML reports to the one provided by VulnScan.