When a recent software update from CrowdStrike caused widespread digital disruption, Mac security researcher Patrick Wardle knew where to turn for answers: crash reports from affected computers. As Windows systems crashed and websites went down, Wardle sought out the system snapshots that provide insight into software problems.
“I’m not a Windows researcher, but I was intrigued by what was happening,” Wardle says. “People were saying it was a Microsoft problem, but it had nothing to do with Microsoft. I went to the crash reports, which hold the ultimate truth. If you were looking there, you were able to pinpoint the underlying cause long before CrowdStrike came out and said it.”
At the Black Hat security conference, Wardle highlighted the importance of crash reports in identifying software vulnerabilities. These system snapshots can provide valuable information for both defenders and attackers, and Wardle has used them to discover multiple vulnerabilities in software, including bugs in the analysis tool YARA and in Apple’s macOS operating system.
To glean insights from crash reports, Wardle notes that a basic understanding of Assembly language is necessary. However, he emphasizes that the payoff is worth it. Crash reports are available on various operating systems, including Windows, macOS, Linux, Android, and iOS, although they can be more challenging to access on mobile devices.
Wardle has used crash reports to investigate several high-profile incidents, including a 2018 iOS bug that caused apps to crash when displaying the Taiwanese flag emoji. By examining the crash reports, Wardle was able to determine that Apple had acquiesced to demands from China to censor the flag, but their censorship code had a bug.
“If I can find so many vulnerabilities just by looking at crash reports from my own devices and those of my friends, software developers need to be looking there, too,” Wardle says. Sophisticated hackers and state-backed actors are likely already using crash reports to identify vulnerabilities. Intelligence agencies, such as the US National Security Agency, have also been known to mine crash logs for information.
Crash reports can also be a valuable source of information for detecting malware, as they can reveal anomalous and potentially suspicious activity. Malware often deletes crash reports immediately upon infecting a device, and the fact that malware is often buggy makes crashes more likely and crash reports valuable to attackers for understanding what went wrong with their code.
“With crash reports, the truth is out there,” Wardle says. “Or, I guess, in there.”
