The Art of Binary Diffing            orhow to find 0-dayz for free      Nikita Tarakanov  ZeroNights 0x02, Moscow
#WhoAmI• Crazy• Fucking• Wild• Russian
Agenda•   Intro•   Overview of problem(s) of Binary Diffing•   Overview of differs•   Dude, so how to find 0-dayz???•   Co...
Intro• 1dayz – what for?• 0dayz FTW!
Problem(s) of Binary Diffing• Asm instructions are not atomic• Different architectures• Different compilers(even compiling...
Binary Diffing Sucks• Sucks
Binary Diffing Sucks• Sucks
Binary Diffing Sucks• Nope, it really SUCKS
Lets diff the differs!
Turbodiff• Own graph implementation• Special algo for unrecognized functions• Basic algo• Uses graphview• Sucks
PatchDiff• Several graph diffing algos• Uses IDA graph GUI• Sucks
BinDiff(out of scope)• A lot graph diffing algos(Customizing)• Own IL• Own graph diffing GUI• Costs money – Sucks• Sucks
Dude!So how to find  0dayz???
Idea №1• Security fix is a pattern• Sometime it’s even new type of vuln• Patterns -> Knowledge base
Idea №2• What about diffing software version N vs N+1• Adobe Reader 10.X vs 11• Windows 7 vs 8• This is fount of 0-dayz!• ...
Diffing different versions• A lot of noise• How to define security fix?• Simple Patters: jnb->jb, strcpy -> strncpy etc• V...
#lulz• Win32k.sys 0day• Was• Dropped• On• This• slide
Conclusion• Vendors don’t patch old versions           • This is   Pizdets
Q&A• Thanks You!• @NTarakanov
Upcoming SlideShare
Loading in …5
×

Tarakanov the art of binary diffing

642 views
578 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
642
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Tarakanov the art of binary diffing

  1. 1. The Art of Binary Diffing orhow to find 0-dayz for free Nikita Tarakanov ZeroNights 0x02, Moscow
  2. 2. #WhoAmI• Crazy• Fucking• Wild• Russian
  3. 3. Agenda• Intro• Overview of problem(s) of Binary Diffing• Overview of differs• Dude, so how to find 0-dayz???• Conclusion• Q&A
  4. 4. Intro• 1dayz – what for?• 0dayz FTW!
  5. 5. Problem(s) of Binary Diffing• Asm instructions are not atomic• Different architectures• Different compilers(even compiling options)• Graph isomorphism – NP-full
  6. 6. Binary Diffing Sucks• Sucks
  7. 7. Binary Diffing Sucks• Sucks
  8. 8. Binary Diffing Sucks• Nope, it really SUCKS
  9. 9. Lets diff the differs!
  10. 10. Turbodiff• Own graph implementation• Special algo for unrecognized functions• Basic algo• Uses graphview• Sucks
  11. 11. PatchDiff• Several graph diffing algos• Uses IDA graph GUI• Sucks
  12. 12. BinDiff(out of scope)• A lot graph diffing algos(Customizing)• Own IL• Own graph diffing GUI• Costs money – Sucks• Sucks
  13. 13. Dude!So how to find 0dayz???
  14. 14. Idea №1• Security fix is a pattern• Sometime it’s even new type of vuln• Patterns -> Knowledge base
  15. 15. Idea №2• What about diffing software version N vs N+1• Adobe Reader 10.X vs 11• Windows 7 vs 8• This is fount of 0-dayz!• Nope, it’s not ½ dayz!
  16. 16. Diffing different versions• A lot of noise• How to define security fix?• Simple Patters: jnb->jb, strcpy -> strncpy etc• VSA• Construct dataflow
  17. 17. #lulz• Win32k.sys 0day• Was• Dropped• On• This• slide
  18. 18. Conclusion• Vendors don’t patch old versions • This is Pizdets
  19. 19. Q&A• Thanks You!• @NTarakanov

×