Recomendados
Recomendados
Mais conteúdo relacionado
Semelhante a Tarakanov the art of binary diffing
Semelhante a Tarakanov the art of binary diffing (20)
Mais de DefconRussia
Mais de DefconRussia (20)
Tarakanov the art of binary diffing
- 1. The Art of Binary Diffing or how to find 0-dayz for free Nikita Tarakanov ZeroNights 0x02, Moscow
- 2. #WhoAmI • Crazy • Fucking • Wild • Russian
- 3. Agenda • Intro • Overview of problem(s) of Binary Diffing • Overview of differs • Dude, so how to find 0-dayz??? • Conclusion • Q&A
- 4. Intro • 1dayz – what for? • 0dayz FTW!
- 5. Problem(s) of Binary Diffing • Asm instructions are not atomic • Different architectures • Different compilers(even compiling options) • Graph isomorphism – NP-full
- 6. Binary Diffing Sucks • Sucks
- 7. Binary Diffing Sucks • Sucks
- 8. Binary Diffing Sucks • Nope, it really SUCKS
- 9. Lets diff the differs!
- 10. Turbodiff • Own graph implementation • Special algo for unrecognized functions • Basic algo • Uses graphview • Sucks
- 11. PatchDiff • Several graph diffing algos • Uses IDA graph GUI • Sucks
- 12. BinDiff(out of scope) • A lot graph diffing algos(Customizing) • Own IL • Own graph diffing GUI • Costs money – Sucks • Sucks
- 13. Dude! So how to find 0dayz???
- 14. Idea №1 • Security fix is a pattern • Sometime it’s even new type of vuln • Patterns -> Knowledge base
- 15. Idea №2 • What about diffing software version N vs N+1 • Adobe Reader 10.X vs 11 • Windows 7 vs 8 • This is fount of 0-dayz! • Nope, it’s not ½ dayz!
- 16. Diffing different versions • A lot of noise • How to define security fix? • Simple Patters: jnb->jb, strcpy -> strncpy etc • VSA • Construct dataflow
- 17. #lulz • Win32k.sys 0day • Was • Dropped • On • This • slide
- 18. Conclusion • Vendors don’t patch old versions • This is Pizdets
- 19. Q&A • Thanks You! • @NTarakanov