Anika Begay
When a flawed software update from security firm CrowdStrike inadvertently caused digital chaos around the world last month, the first signs were Windows computers displaying the blue screen of death. As websites and services went down and people scrambled to figure out what was happening, conflicting and inaccurate information was everywhere. Rushing to understand the crisis, longtime Mac security researcher Patrick Wardle knew there was one place he could look for facts: crash reports from computers affected by the bug.
“Even though I’m not a Windows researcher, I was curious about what was going on, and there was this dearth of information,” Wardle tells WIRED. “People were saying it was a Microsoft problem, because Windows systems were blue-screening, and there were all these crazy theories. But it actually had nothing to do with Microsoft. So I went to the crash reports, which to me are the absolute truth. And if you were looking at it, you could see the underlying cause long before CrowdStrike came out and said it.”
At the Black Hat security conference in Las Vegas on Thursday, Wardle argued that crash reports are an underused tool. Such system snapshots provide software developers and maintainers with information about potential problems with their code. And Wardle points out that they can be a particular source of information about potentially exploitable vulnerabilities in software, for both defenders and attackers.
In his talk, Wardle presented several examples of vulnerabilities he found in the software when the app crashed, and carefully examined the report for the possible cause. Users can easily view their crash reports on Windows, macOS, and Linux, and they are also available on Android and iOS, although they can be more difficult to access on mobile operating systems. Wardle notes that extracting information from crash reports requires a basic understanding of instructions written in low-level machine code known as assembly, but he stresses that the payoff is worth it.
In his Black Hat talk, Wardle presented several vulnerabilities he discovered simply by examining crash reports on his devices, including bugs in the YARA analysis tool and in the current version of Apple’s macOS operating system. In fact, when Wardle discovered in 2018 that an iOS bug was causing apps to crash whenever they displayed the Taiwanese flag emoji, he got to the bottom of what was happening using, you guessed it, crash reports.
“We conclusively revealed that Apple had complied with China’s demands to censor the Taiwanese flag, but their censorship code had a bug, ridiculous,” he says. “My friend who initially looked at this was like, ‘My phone has been hacked by the Chinese. Every time you text me it crashes. Or are you hacking me?’ And I said, ‘Rude, I wouldn’t hack you. And also, rude, if I hacked you, I wouldn’t crash your phone.’ So I pulled up the crash reports to see what was going on.”
Wardle points out that if he can find so many vulnerabilities simply by looking at crash reports from his and his friends’ devices, software developers must be looking there too. Both sophisticated criminal actors and state-sponsored hackers are likely already taking cues from their crash reports. Over the years, news reports have indicated that intelligence agencies such as the US National Security Agency are mining crash logs. Wardle points out that crash reports are also a valuable source of information for detecting malware, as they can reveal anomalous and potentially suspicious activity. The notorious spyware broker NSO Group, for example, often built mechanisms into its malware specifically to delete crash reports immediately after infecting a device. And the fact that malware is often buggy makes crashes more likely, and crash reports are also valuable for attackers to figure out what went wrong with their code.
“With accident reports, the truth is out there,” Wardle says. “Or, I think, in there.”
