SlideShare a Scribd company logo

The art of binary diffing

N
NTarakanov

My ZeroNights 0x02 slides

Technology
1 of 19
Download to read offline
The Art of Binary Diffing or how to find 0-dayz for free Nikita Tarakanov ZeroNights 0x02, Moscow
#WhoAmI • Crazy • Fucking • Wild • Russian
Agenda • Intro • Overview of problem(s) of Binary Diffing • Overview of differs • Dude, so how to find 0-dayz??? • Conclusion • Q&A
Intro • 1dayz – what for? • 0dayz FTW!
Problem(s) of Binary Diffing • Asm instructions are not atomic • Different architectures • Different compilers(even compiling options) • Graph isomorphism – NP-full
Binary Diffing Sucks • Sucks
Binary Diffing Sucks • Sucks
Binary Diffing Sucks • Nope, it really SUCKS
Lets diff the differs!
Turbodiff • Own graph implementation • Special algo for unrecognized functions • Basic algo • Uses graphview • Sucks
PatchDiff • Several graph diffing algos • Uses IDA graph GUI • Sucks
BinDiff(out of scope) • A lot graph diffing algos(Customizing) • Own IL • Own graph diffing GUI • Costs money – Sucks • Sucks
Dude! So how to find 0dayz???
Idea №1 • Security fix is a pattern • Sometime it’s even new type of vuln • Patterns -> Knowledge base
Idea №2 • What about diffing software version N vs N+1 • Adobe Reader 10.X vs 11 • Windows 7 vs 8 • This is fount of 0-dayz! • Nope, it’s not ½ dayz!
Diffing different versions • A lot of noise • How to define security fix? • Simple Patters: jnb->jb, strcpy -> strncpy etc • VSA • Construct dataflow
#lulz • Win32k.sys 0day • Was • Dropped • On • This • slide
Conclusion • Vendors don’t patch old versions • This is Pizdets
Q&A • Thanks You! • @NTarakanov

Recommended

Ruby in prijatelji
Ruby in prijateljiRuby in prijatelji
Ruby in prijatelji
Oto Brglez
 
Magritte Magic
Magritte MagicMagritte Magic
Magritte Magic
ESUG
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
Gajendra Saini
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)
John Villamil
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Java on the GPU: Where are we now?
Java on the GPU: Where are we now?Java on the GPU: Where are we now?
Java on the GPU: Where are we now?
Dmitry Alexandrov
 
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane EcosystemDownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
FITC
 

Recommended

Ruby in prijatelji
Ruby in prijateljiRuby in prijatelji
Ruby in prijatelji
Oto Brglez
 
Magritte Magic
Magritte MagicMagritte Magic
Magritte Magic
ESUG
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
Gajendra Saini
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)
John Villamil
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Java on the GPU: Where are we now?
Java on the GPU: Where are we now?Java on the GPU: Where are we now?
Java on the GPU: Where are we now?
Dmitry Alexandrov
 
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane EcosystemDownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
FITC
 
みんなのNode.js
みんなのNode.jsみんなのNode.js
みんなのNode.js
ogom_
 
Mobile Knife Fighting at JSConf US
Mobile Knife Fighting at JSConf US Mobile Knife Fighting at JSConf US
Mobile Knife Fighting at JSConf US
Brian LeRoux
 
Hackathon Slides
Hackathon SlidesHackathon Slides
Hackathon Slides
Jen Looper
 
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane EcosystemDownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
FITC
 
Getting started in mobile games
Getting started in mobile gamesGetting started in mobile games
Getting started in mobile games
ahamidi27
 
Posladkajmo si JavaScript z uporabo TypeScript a
Posladkajmo si JavaScript z uporabo TypeScript aPosladkajmo si JavaScript z uporabo TypeScript a
Posladkajmo si JavaScript z uporabo TypeScript a
Peter A. Pirc
 
Introduction to arduino
Introduction to arduinoIntroduction to arduino
Introduction to arduino
Preet Sangha
 
Rubyconf2012 recap
Rubyconf2012 recapRubyconf2012 recap
Rubyconf2012 recap
Forrest Chang
 
Get your Project back in Shape!
Get your Project back in Shape!Get your Project back in Shape!
Get your Project back in Shape!
Joachim Tuchel
 
Kick ass code editing and end to end JavaScript debugging
Kick ass code editing and end to end JavaScript debuggingKick ass code editing and end to end JavaScript debugging
Kick ass code editing and end to end JavaScript debugging
Fabian Jakobs
 
Tooling for the JavaScript Era
Tooling for the JavaScript EraTooling for the JavaScript Era
Tooling for the JavaScript Era
martinlippert
 
Saas rad with django, django rest framework
Saas rad with django, django rest frameworkSaas rad with django, django rest framework
Saas rad with django, django rest framework
Marco Montanari
 
Lean & agile with MongoDB
Lean & agile with MongoDBLean & agile with MongoDB
Lean & agile with MongoDB
Johannes Brandstetter
 
Back to Space
Back to SpaceBack to Space
Back to Space
Timmy Kokke
 
GR8Conf 2011: STS DSL Support
GR8Conf 2011: STS DSL SupportGR8Conf 2011: STS DSL Support
GR8Conf 2011: STS DSL Support
GR8Conf
 
Better DSL Support for Groovy-Eclipse
Better DSL Support for Groovy-EclipseBetter DSL Support for Groovy-Eclipse
Better DSL Support for Groovy-Eclipse
Andrew Eisenberg
 
Low Level Graphics & OpenGL
Low Level Graphics & OpenGLLow Level Graphics & OpenGL
Low Level Graphics & OpenGL
Dominic Farolino
 
Java and the Web
Java and the WebJava and the Web
Java and the Web
Dmitry Buzdin
 
2011 05-jszurich
2011 05-jszurich2011 05-jszurich
2011 05-jszurich
Julian Viereck
 
Test
TestTest
Test
PaulMWatson
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 

More Related Content

Similar to The art of binary diffing

DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane EcosystemDownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
FITC
 
Getting started in mobile games
Getting started in mobile gamesGetting started in mobile games
Getting started in mobile games
ahamidi27
 
Posladkajmo si JavaScript z uporabo TypeScript a
Posladkajmo si JavaScript z uporabo TypeScript aPosladkajmo si JavaScript z uporabo TypeScript a
Posladkajmo si JavaScript z uporabo TypeScript a
Peter A. Pirc
 
Tooling for the JavaScript Era
Tooling for the JavaScript EraTooling for the JavaScript Era
Tooling for the JavaScript Era
martinlippert
 
GR8Conf 2011: STS DSL Support
GR8Conf 2011: STS DSL SupportGR8Conf 2011: STS DSL Support
GR8Conf 2011: STS DSL Support
GR8Conf
 

Similar to The art of binary diffing (20)

みんなのNode.js
みんなのNode.jsみんなのNode.js
みんなのNode.js
 
Mobile Knife Fighting at JSConf US
Mobile Knife Fighting at JSConf US Mobile Knife Fighting at JSConf US
Mobile Knife Fighting at JSConf US
 
Hackathon Slides
Hackathon SlidesHackathon Slides
Hackathon Slides
 
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane EcosystemDownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
DownTheRabbitHole.js – How to Stay Sane in an Insane Ecosystem
 
Getting started in mobile games
Getting started in mobile gamesGetting started in mobile games
Getting started in mobile games
 
Posladkajmo si JavaScript z uporabo TypeScript a
Posladkajmo si JavaScript z uporabo TypeScript aPosladkajmo si JavaScript z uporabo TypeScript a
Posladkajmo si JavaScript z uporabo TypeScript a
 
Introduction to arduino
Introduction to arduinoIntroduction to arduino
Introduction to arduino
 
Rubyconf2012 recap
Rubyconf2012 recapRubyconf2012 recap
Rubyconf2012 recap
 
Get your Project back in Shape!
Get your Project back in Shape!Get your Project back in Shape!
Get your Project back in Shape!
 
Kick ass code editing and end to end JavaScript debugging
Kick ass code editing and end to end JavaScript debuggingKick ass code editing and end to end JavaScript debugging
Kick ass code editing and end to end JavaScript debugging
 
Tooling for the JavaScript Era
Tooling for the JavaScript EraTooling for the JavaScript Era
Tooling for the JavaScript Era
 
Saas rad with django, django rest framework
Saas rad with django, django rest frameworkSaas rad with django, django rest framework
Saas rad with django, django rest framework
 
Lean & agile with MongoDB
Lean & agile with MongoDBLean & agile with MongoDB
Lean & agile with MongoDB
 
Back to Space
Back to SpaceBack to Space
Back to Space
 
GR8Conf 2011: STS DSL Support
GR8Conf 2011: STS DSL SupportGR8Conf 2011: STS DSL Support
GR8Conf 2011: STS DSL Support
 
Better DSL Support for Groovy-Eclipse
Better DSL Support for Groovy-EclipseBetter DSL Support for Groovy-Eclipse
Better DSL Support for Groovy-Eclipse
 
Low Level Graphics & OpenGL
Low Level Graphics & OpenGLLow Level Graphics & OpenGL
Low Level Graphics & OpenGL
 
Java and the Web
Java and the WebJava and the Web
Java and the Web
 
2011 05-jszurich
2011 05-jszurich2011 05-jszurich
2011 05-jszurich
 
Test
TestTest
Test
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

The art of binary diffing