Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The art of binary diffing


Published on

My ZeroNights 0x02 slides

Published in: Technology
  • Be the first to comment

The art of binary diffing

  1. 1. The Art of Binary Diffing orhow to find 0-dayz for free Nikita Tarakanov ZeroNights 0x02, Moscow
  2. 2. #WhoAmI• Crazy• Fucking• Wild• Russian
  3. 3. Agenda• Intro• Overview of problem(s) of Binary Diffing• Overview of differs• Dude, so how to find 0-dayz???• Conclusion• Q&A
  4. 4. Intro• 1dayz – what for?• 0dayz FTW!
  5. 5. Problem(s) of Binary Diffing• Asm instructions are not atomic• Different architectures• Different compilers(even compiling options)• Graph isomorphism – NP-full
  6. 6. Binary Diffing Sucks• Sucks
  7. 7. Binary Diffing Sucks• Sucks
  8. 8. Binary Diffing Sucks• Nope, it really SUCKS
  9. 9. Lets diff the differs!
  10. 10. Turbodiff• Own graph implementation• Special algo for unrecognized functions• Basic algo• Uses graphview• Sucks
  11. 11. PatchDiff• Several graph diffing algos• Uses IDA graph GUI• Sucks
  12. 12. BinDiff(out of scope)• A lot graph diffing algos(Customizing)• Own IL• Own graph diffing GUI• Costs money – Sucks• Sucks
  13. 13. Dude!So how to find 0dayz???
  14. 14. Idea №1• Security fix is a pattern• Sometime it’s even new type of vuln• Patterns -> Knowledge base
  15. 15. Idea №2• What about diffing software version N vs N+1• Adobe Reader 10.X vs 11• Windows 7 vs 8• This is fount of 0-dayz!• Nope, it’s not ½ dayz!
  16. 16. Diffing different versions• A lot of noise• How to define security fix?• Simple Patters: jnb->jb, strcpy -> strncpy etc• VSA• Construct dataflow
  17. 17. #lulz• Win32k.sys 0day• Was• Dropped• On• This• slide
  18. 18. Conclusion• Vendors don’t patch old versions • This is Pizdets
  19. 19. Q&A• Thanks You!• @NTarakanov