LAS VEGAS—Immunity, a company already well-known for making pen testing easy, demoed a new tool that will make writing exploits near-automatic.
Immunity released the tool, called Debugger, here at the Defcon hackers convention on Aug. 3. Debugger is free for download, with its revenue being driven by paid ads from companies looking to hire the pen testers who use such a tool. One of the first help-wanted ads taken out by such companies includes Applied Security.
Debugger comes with what Immunity says is the industrys first heap analysis tool built specifically for heap creation. It also sports a large Python API for easy extensibility and has function graphing as part of its user interface. The version released on Aug. 3 doesnt yet include stackvars.py, the automatic analysis script, but Immunity demonstrated the script and is showing it on its site.
Immunity is claiming that Debugger will cut exploit development time by 50 percent.
Not everybodys happy to hear that.
“Theyve got a good development community,” said Dave Marcus, security research and communications manager at McAfees Avert Labs, in an interview with eWEEK at Defcon. “But I look at it from the other side of house: What does this mean to the computing public?”
What it means is more zero days, Marcus said. “And thats certainly not a good thing. I think youll see a spike in zero days, and contributions to the zero-day initiative, because it makes it easier to find vulnerabilities. Youre making the job easier.
Immunity CEO Dave Aitel doesnt see any problem with helping customers find zero days. As a matter of fact, Immunity trains people to find zero days.
“Thats something we think all companies should do,” he told eWEEK. “Otherwise youll be sticking your head in the sand.”
Marcus said he doesnt think that “the bug exists already” argument is a good one. “Yes, we know that,” he said. “We know the bugs are in the code. But making more and more tools” to make it easier to find those bugs, that, he said, is not going to make his customers happy.
“Theyll all do this,” he said, rolling his eyes to the ceiling. “Great!”
Of course, there are already fuzzers that track down vulnerabilities that can lead to exploitation. However, until now, writing exploits has been the manual part of it, done in the “tweaking” process, Marcus said.
Now, the security industry doesnt have to write its own programs to automate the translation of a vulnerability to an exploit.
“You dont have to learn the Canvas API [another Immunity tool] or how to build exploits,” Aitel promised, as much of the functionality of these tools are built into Debugger.
Debuggers interfaces include a GUI and a command line thats always available at the bottom of the GUI. This allows users to type shortcuts as if they were in a typical text-based debugger. Immunity has also implemented aliases so that users of its other tools dont have to be retrained and can just leap into using the debugger interface.
Editors Note: This story was updated to correctly state that the automatic analysis script, although demoed, isnt included in Debugger Version 1. Also, the original story misidentified Applied Security. eWEEK regrets the errors.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.