The art of binary diffing

4,255 views
4,010 views

Published on

My ZeroNights 0x02 slides

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,255
On SlideShare
0
From Embeds
0
Number of Embeds
122
Actions
Shares
0
Downloads
78
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

The art of binary diffing

  1. 1. The Art of Binary Diffing orhow to find 0-dayz for free Nikita Tarakanov ZeroNights 0x02, Moscow
  2. 2. #WhoAmI• Crazy• Fucking• Wild• Russian
  3. 3. Agenda• Intro• Overview of problem(s) of Binary Diffing• Overview of differs• Dude, so how to find 0-dayz???• Conclusion• Q&A
  4. 4. Intro• 1dayz – what for?• 0dayz FTW!
  5. 5. Problem(s) of Binary Diffing• Asm instructions are not atomic• Different architectures• Different compilers(even compiling options)• Graph isomorphism – NP-full
  6. 6. Binary Diffing Sucks• Sucks
  7. 7. Binary Diffing Sucks• Sucks
  8. 8. Binary Diffing Sucks• Nope, it really SUCKS
  9. 9. Lets diff the differs!
  10. 10. Turbodiff• Own graph implementation• Special algo for unrecognized functions• Basic algo• Uses graphview• Sucks
  11. 11. PatchDiff• Several graph diffing algos• Uses IDA graph GUI• Sucks
  12. 12. BinDiff(out of scope)• A lot graph diffing algos(Customizing)• Own IL• Own graph diffing GUI• Costs money – Sucks• Sucks
  13. 13. Dude!So how to find 0dayz???
  14. 14. Idea №1• Security fix is a pattern• Sometime it’s even new type of vuln• Patterns -> Knowledge base
  15. 15. Idea №2• What about diffing software version N vs N+1• Adobe Reader 10.X vs 11• Windows 7 vs 8• This is fount of 0-dayz!• Nope, it’s not ½ dayz!
  16. 16. Diffing different versions• A lot of noise• How to define security fix?• Simple Patters: jnb->jb, strcpy -> strncpy etc• VSA• Construct dataflow
  17. 17. #lulz• Win32k.sys 0day• Was• Dropped• On• This• slide
  18. 18. Conclusion• Vendors don’t patch old versions • This is Pizdets
  19. 19. Q&A• Thanks You!• @NTarakanov

×